Free AWS WAF Captcha Solver 🔥

Description

This Actor is a free, lightweight and efficient AWS WAF Captcha solver. It’s designed to bypass AWS WAF captcha protection almost instantly 😈

Unlike traditional anti-bot solutions that rely on heavy browser automation tools or overly engineered setups, this actor offers a highly efficient way to unblock requests and solve captchas without the extra overhead.

Features

• Lightweight & Fast: No headless browser required; runs directly in Node.js. Lightning fast and runs on as little as 128MB of memory.
• Browser Fingerprinting: Simulates a browser environment (DOM, Navigator, WebGL) to pass challenge checks.
• Automatic Token Handling: Automatically extracts the aws-waf-token upon successful solution.
• Optional Request Execution: Can either return just the token or proceed to fetch the protected content using the generated token.
• Concurrency Support: parallel processing of multiple URLs for increased throughput.

Pricing

The actor is free (the developer does not make any money from it). With the $5 monthly credits, you can scrape tens, if not hundreds of thousands of records at no cost. (Why is it free? Because it’s my way of giving back to the community 🤝) To prevent abuse, free users are limited to 5 URLs per run & 5 runs per hour.

Input Configuration

The actor accepts the following input parameters:

Field	Type	Default	Description
targetPagesOrApiEndpoints	Array	[...]	A list of target URLs or API endpoints that are protected by AWS WAF.
executeAndGetResponse	Boolean	false	If true, the actor will use the generated token to request the target URL and return the response body. If false, it returns only the solution token. Default HTTP method is GET unless specified otherwise in requestConfig.
requestConfig	Object	{}	Optional configuration for the final request. Supports method (e.g., "POST"), headers (Object), and payload (String/Object).

Example Input

{
    "targetPagesOrApiEndpoints": [
        "https://www.binance.com/en/price/bitcoin"
    ],
    "executeAndGetResponse": true
}

POST Request Example

{
    "targetPagesOrApiEndpoints": ["https://example.com/api/login"],
    "executeAndGetResponse": true,
    "requestConfig": {
        "method": "POST",
        "headers": {
            "Content-Type": "application/json",
            "Authorization": "Bearer 123"
        },
        "payload": "{\"username\": \"foo\", \"password\": \"bar\"}"
    }
}

Output

The actor pushes results to the default dataset. Each item represents a processed URL.

Output Structure

The following is an extensive list of potential output fields. Note that not all fields will be present in every result; their availability depends on the specific input URL, whether a WAF challenge was detected/solved, and other runtime actions.

Field	Type	Description
initialUrl	String	The URL that was processed.
solved	Boolean	Indicates if the WAF challenge was successfully solved (or if no challenge was present).
aws-waf-token	String	The generated WAF token (only if a challenge was intercepted and solved).
body	String	The content of the target page (only if executeAndGetResponse is true).
responseStatus	Number	The HTTP status code of the final request (only if executeAndGetResponse is true).
responseHeaders	Object	The HTTP headers of the final request (only if executeAndGetResponse is true).
error	String	Error message if the process failed.

📝 Note

If the target page returns a 200 OK immediately (no WAF challenge triggered), the aws-waf-token field might not be present in the output, as token generation is usually not necessary. However, the actor attempts to extract it from Set-Cookie headers if available.

Using the Solution

You can use this actor in two ways:

1. Automatic Content Retrieval: Set executeAndGetResponse: true to have the actor automatically fetch the protected page after solving the challenge. The HTML/JSON content will be available in the body output field.
2. Manual Token Usage: Use the generated aws-waf-token yourself to bypass the WAF on subsequent requests. Simply include it as a cookie in your headers:

Cookie: aws-waf-token=<YOUR_TOKEN_HERE>

Status Code Handling

The actor intelligently handles different responses from the target URL:

• 200 OK: The actor intelligently distinguishes between a true success and a WAF challenge hidden behind a 200 OK status. It scans the response body for the specific WAF challenge script. If detected, the solver is triggered. If not, it considers the request successful, extracts the token from headers (if present), and returns the body.
• Other Status Codes (e.g., 405, 403, 401, 202..): If the target returns a status code indicating a block or challenge and contains the WAF challenge script, the actor initiates the solver process to generate a valid token.

Disclaimer

Ensure you comply with the terms of service of any website you interact with.

Support

If you have any questions, customization requests, or would like to directly plug this tool to your system for zero latency, I’d be more than happy to hear from you. Feel free to reach out anytime.

• Email: labs@azzouzana.com
• Discord: @azzouzana