Some notes/resources for bypassing anti-bot/scraping features on Cloudflare, Akamai, etc.
- https://www.zenrows.com/blog/bypass-cloudflare
- https://www.zenrows.com/blog/bypass-cloudflare#waiting-room-reverse-engineer
- Lots of neat content in this section about the high level aspects of how the Cloudflare JavaScript check works, some of it's obfuscation techniques, and the general flow of things.
- https://www.zenrows.com/blog/bypass-cloudflare#waiting-room-reverse-engineer
- https://www.zenrows.com/blog/bypass-akamai
- https://www.zenrows.com/blog/bypass-akamai#akamais-javascript-challenge-explained
- Less detail than the Cloudflare post had, but still some useful detail
- https://www.zenrows.com/blog/bypass-akamai#akamais-javascript-challenge-explained
- https://glizzykingdreko.com/akamai-v3-sensor-data-deep-dive-into-encryption-decryption-and-bypass-tools-da0adad2a784
-
Akamai v3 Sensor Data: Deep Dive into Encryption, Decryption, and Bypass Tools (Apr 7, 2025)
-
Understanding and bypassing Akamai’s bot protection can feel a real pain due to its complexity. This deep dive provides a clear understanding of v3’s encryption and decryption processes, practical tools to get you started, as well as some tips.
- https://github.com/glizzykingdreko/akamai-v3-sensor-data-helper
-
Akamai v3 Sensor Data Decryptor
-
A Node.js module for decrypting and encrypting Akamai v3 sensor data. This module helps you work with the sensor_data parameter used in Akamai's bot detection system.
- https://github.com/glizzykingdreko/akamai-v3-sensor-data-helper/tree/main/src/extract_hash
- https://github.com/glizzykingdreko/akamai-v3-tools
-
Akamai V3 Tools
-
A simple web app for decrypting and encrypting Akamai v3 sensor data.
-
A collection of tools for working with Akamai V3 cookies and sensor data.
- https://akamai-v3-tools.vercel.app/
-
Akamai v3 Tools
-
Online tools for working with Akamai v3 sensor data
-
encryption, decryption, and hash extraction
-
-
-
- https://github.com/glizzykingdreko/akamai-sensordata-decryptor
-
akamai-sensordata-decrypt
-
A CLI tool for decrypting Akamai v2 sensor data, facilitating the recreation of the original data from an encrypted sensor_data string.
-
akamai-sensordata-decryptis a CLI tool designed for decrypting Akamai v2 sensor data, facilitating the recreation of the original data from the encryptedsensor_datastring. This tool is particularly useful for developers and researchers working with Akamai's sensor data, providing a straightforward method to decrypt and analyze this data. - https://github.com/glizzykingdreko/akamai-sensordata-decryptor#understanding-the-encryption-and-decryption-process
-
Understanding the Encryption and Decryption Process
-
-
-
- https://github.com/drakoarmy/akamai-vm-reverse
-
akamai-vm-reverse
-
Decompiled and cleaned Akamai v3 VM powering the latest sensor_data challenge script
-
- https://github.com/obfio/akamai-drm-deobf
-
akamai-drm-deobf
-
Deobfuscation of akamai DRM, they use JSScrambler. This deobf doesn't use any VM or exec, just for fun. The code isn't great, it does work though and tested on 3 versions of akamai DRM.
-
- https://github.com/DalphanDev/akamai-sensor
-
akamai-sensor
-
Simple script to help reverse engineer akamai's sensordata payload.
-
Akamai is an American company that offers cloud services for delivering, optimizing, and securing online content and business applications over the internet. Specifically in our context, Akamai sells antibot solutions to companies to ward off bots and web scrapers.
-
One of Akamai's solutions involves generating something called a "sensor" on the user's web browser through the use of behind-the-scenes obfuscated javascript files. These files which I will now refer to as "scripts" fingerprint the browser through use of different data such as WebDrivers, Graphics Cards, Time, and random math calls. The idea, is that a sensor can either look realistic, or like a bot. And bot's should have a hard time accurately replicating these sensors since the files are obfuscated and only run on a user's browser.
-
This repo demonstrates how one can deobfuscate a script and reverse-engineer it to work the way you want to. For our purposes, the repo generates realistic sensors that Akamai can not differentiate between fake and real. This is done by using Chrome DevTools and meticulously stepping through the script as it runs on the browser, documenting the steps it takes, and rebuilding each step and it's corresponding functions.
-
- https://github.com/voidstar0/akamai-deobfuscator
-
akamai-deobfuscator
-
A tool to help you deobfuscate Akamai scripts.
-
A tool to help you to recover function and property names to better reverse-engineer Akamai scripts.
-
- https://dev.to/xve-e
- https://dev.to/xve-e/analyzing-akamai-bmp-413-part-1-for-noobs-learn-4pmm
-
Analyzing Akamai BMP 4.1.3 - Part 1 - For Noobs Learn
- https://xve-e.github.io/2026/03/23/analyzing-akamai-bmp-part-1.html
-
- https://dev.to/xve-e/analyzing-akamai-bmp-413-part-2-31k3
-
Analyzing Akamai BMP 4.1.3 - Part 2
- https://xve-e.github.io/2026/03/23/analyzing-akamai-bmp-part-2.html
-
- https://xve-e.github.io/2026/03/23/analyzing-akamai-bmp-part-3.html
-
Analyzing Akamai BMP 4.1.3 - Part 3
-
- https://dev.to/xve-e/analyzing-akamai-bmp-413-part-1-for-noobs-learn-4pmm
- https://github.com/xVE-e/akamaibmpstrings
-
akamaibmpstrings
-
A Akamai BMP 4.1.3 thing
-
- https://yoghurtbot.github.io/
-
yog's blog
-
Mastering the art of reverse engineering
- https://yoghurtbot.github.io/2023/03/04/Finding-Akamai-BMP-RSA-Key/
-
Android Reversing - Finding the RSA Key of Akamai BMP (2023-03-04)
-
This article I am going to show you how you can use various tools to reverse engineer Android applications. The goal of this article will be to reverse engineer an Android application that uses Akamai’s Bot Manager Premier (BMP), aka the mobile protection SDK. You can recognise this from the
x-acf-sensor-dataheader that is sent with requests. - https://github.com/yoghurtbot/akamai-bmp-decrypt
-
Akamai BMP Decrypt
-
A snippet showing how to decrypt sensor strings that are generated by Akamai Mobile SDK (BMP)
-
-
-
- https://github.com/glizzykingdreko/Akamai-BMP-SDK-Source-Code
-
Akamai BMP SDK Version 3.3.0
-
Extracted from Aldi UK apk
-
- https://www.mimic.sbs/antibot/Improving-Antibot-Biometric-Protections-Through-Threat-Intelligence-And-Reverse-Engineering/
-
Improving Antibot Biometric Protections Through Threat Intelligence and Reverse Engineering: A Harsh Lesson From Akamai
- https://github.com/MIMIC-LOGICS/Akamai-Mouse-Protection
-
Akamai-Mouse-Protection
-
This is a POC of a Biometric Antibot Solution to stop mouse data generated by bots. This POC only works for the mouse movement generator shared in
src/old_mact.py, and should not used for any other scope. The training data has not been shared, but only the polished model.
-
-
- https://github.com/MIMIC-LOGICS/Mouse-Synthesizer
-
Mouse-Synthesizer
-
The most advanced mouse movement synthesizer based on the human hand biometric theory
-
MIMIC aims to synthesize human-like mouse movements, in their minute detail. Negligible was not a word we ever considered throughout our journey, we aspire to achieve perfection and consistency at any generation.
-
- https://github.com/FlareSolverr/FlareSolverr
-
Proxy server to bypass Cloudflare protection
-
FlareSolverr starts a proxy server, and it waits for user requests in an idle state using few resources. When some request arrives, it uses Selenium with the undetected-chromedriver to create a web browser (Chrome). It opens the URL with user parameters and waits until the Cloudflare challenge is solved (or timeout). The HTML code and the cookies are sent back to the user, and those cookies can be used to bypass Cloudflare using other HTTP clients.
-
- https://github.com/ultrafunkamsterdam/undetected-chromedriver
-
Optimized Selenium Chromedriver patch which does not trigger anti-bot services like Distill Network / Imperva / DataDome / Botprotect.io Automatically downloads the driver binary and patches it.
-
- https://github.com/berstend/puppeteer-extra/tree/master/packages/puppeteer-extra-plugin-stealth
-
A plugin for puppeteer-extra and playwright-extra to prevent detection.
-
puppeteer-extra with stealth passes all public bot tests.
Please note: I consider this a friendly competition in a rather interesting cat and mouse game. If the other team (👋) wants to detect headless chromium there are still ways to do that (at least I noticed a few, which I'll tackle in future updates).
It's probably impossible to prevent all ways to detect headless chromium, but it should be possible to make it so difficult that it becomes cost-prohibitive or triggers too many false-positives to be feasible.
If something new comes up or you experience a problem, please do your homework and create a PR in a respectful way (this is Github, not reddit) or I might not be motivated to help. :)
- https://github.com/berstend/puppeteer-extra/tree/master/packages/puppeteer-extra-plugin-stealth/evasions
-
- https://gist.github.com/0xdevalias
- https://github.com/0xdevalias/chatgpt-source-watch : Analyzing the evolution of ChatGPT's codebase through time with curated archives and scripts.
- Deobfuscating / Unminifying Obfuscated Web App Code (0xdevalias' gist)
- Reverse Engineering Webpack Apps (0xdevalias' gist)
- React Server Components, Next.js v13+, and Webpack: Notes on Streaming Wire Format (
__next_f, etc) (0xdevalias' gist)) - Fingerprinting Minified JavaScript Libraries / AST Fingerprinting / Source Code Similarity / Etc (0xdevalias' gist)
- Debugging Theatre Ticket Website / Web App Frontends (0xdevalias' gist)
- Debugging Electron Apps (and related memory issues) (0xdevalias' gist)
- devalias' Beeper CSS Hacks (0xdevalias' gist)
- Reverse Engineering Golang (0xdevalias' gist)
- Reverse Engineering on macOS (0xdevalias' gist)