puppeteer-extra [Bug] puppeteer-extra-stealth plugin fails to bypass Cloudflare bot detection on accounts.x.ai

When using puppeteer-extra with the stealth plugin to access Grok.com, the script is consistently detected as automated access and redirected to a Cloudflare challenge page at accounts.x.ai since 30 March 2025.

Despite implementing multiple stealth measures (custom user agents, hardware fingerprinting evasion, and randomized human-like behavior), the bot detection mechanisms still successfully identify the script as automated.

The issue appears to be with the stealth plugin's inability to convincingly mimic a real human browser session against Cloudflare's latest detection methods. After successfully navigating to grok.com and then to grok.com/chat, any interaction that requires authentication triggers redirection to accounts.x.ai with a CAPTCHA challenge.

Expected behavior: Script should appear as a normal browser session and not trigger Cloudflare bot detection. Actual behavior: Script is consistently identified as automated and redirected to Cloudflare CAPTCHA page.

Apr 03 '25 01:04 jjyuhub

Send minimum code to reproduce

Apr 03 '25 01:04 vladtreny

Send minimum code to reproduce

See workfile: https://github.com/jjyuhub/Grok3Proxy/actions/runs/14232391712/workflow

Apr 03 '25 01:04 jjyuhub

Send a simple .js file to run

Apr 03 '25 01:04 vladtreny

@rdelcampog grokcloudflare.js.zip:

const puppeteer = require('puppeteer-extra');
const StealthPlugin = require('puppeteer-extra-plugin-stealth');

puppeteer.use(StealthPlugin());

(async () => {
  const browser = await puppeteer.launch({
    headless: false,
    args: [
      '--no-sandbox',
      '--disable-setuid-sandbox',
      '--window-size=1280,800',
      '--user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
    ]
  });

  const page = await browser.newPage();

  try {
    console.log('Navigating to https://grok.com/chat ...');
    await page.goto('https://grok.com/chat', {
      waitUntil: 'domcontentloaded',
      timeout: 60000
    });

    const inputSelector = 'textarea';
    const message = 'What is the latest news in AI?';

    await page.waitForSelector(inputSelector, { timeout: 10000 });
    await page.type(inputSelector, message, { delay: 50 });
    console.log('Message typed into input field.');

    await page.keyboard.press('Enter');
    console.log('Enter key pressed to submit the message.');

    // Wait for any post-submission effects (e.g. Cloudflare challenge)
    await new Promise(resolve => setTimeout(resolve, 8000));

    const cloudflareDetected = await page.evaluate(() => {
      const text = document.body.innerText.toLowerCase();
      return text.includes('cloudflare') ||
             text.includes('just a moment') ||
             text.includes('verifying you are human') ||
             text.includes('checking your browser');
    });

    const title = await page.title();
    const url = page.url();

    console.log('Page title:', title);
    console.log('Page URL:', url);
    console.log('Cloudflare challenge detected:', cloudflareDetected);

    const screenshotPath = cloudflareDetected
      ? 'cloudflare_after_submit.png'
      : 'no_cloudflare_after_submit.png';

    await page.screenshot({ path: screenshotPath, fullPage: true });
    console.log('Screenshot saved to:', screenshotPath);

    const excerpt = await page.evaluate(() =>
      document.body.innerText.slice(0, 300)
    );
    console.log('Visible page content excerpt:\n', excerpt);

  } catch (error) {
    console.error('Error occurred:', error.message);
  } finally {
    await browser.close();
  }
})();

Apr 03 '25 01:04 jjyuhub

try this one.

    let stealth = StealthPlugin()
    stealth.enabledEvasions.delete('iframe.contentWindow')
    stealth.enabledEvasions.delete('media.codecs')
    stealth.enabledEvasions.delete('user-agent-override')
    puppeteer.use(stealth)
    const browser = await puppeteer.launch({
        headless: false,
        args: [
            '--no-sandbox',
            '--disable-setuid-sandbox',
              '--window-size=1280,800',
            // '--user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
        ],
        targetFilter: (target) => {
            if (target.type() === 'browser' || target.type() === 'tab')
                return true
            return !!target.url()
        }
    })

Apr 03 '25 02:04 vladtreny

let stealth = StealthPlugin() stealth.enabledEvasions.delete('iframe.contentWindow') stealth.enabledEvasions.delete('media.codecs') stealth.enabledEvasions.delete('user-agent-override') puppeteer.use(stealth)

Working with home network WiFi, not working on VPN, not working on Github Actions runner.

Apr 03 '25 02:04 jjyuhub

They probably detect your IP. If you manually click on checkbox, will it pass?

Apr 03 '25 10:04 vladtreny

They probably detect your IP. If you manually click on checkbox, will it pass?

No, it will still fail the Cloudflare turnstile upon registration.

Apr 03 '25 22:04 jjyuhub

If you click on checkbox and on next load you get the same captcha again, then they detect. This is probably because you run from linux with windows fingerprints, like user agent. Try to omit user agent and use default from linux, but make sure it is not a chromium, but regular chrome.

Apr 03 '25 22:04 vladtreny

I tested with another chrome ,all works well.

Apr 05 '25 09:04 itbrowser-net

@vladtreny hi i have kinda of similar problem when i solve it manual in chromium it pass to password tab if i did let 2 cap solve it it say someone trying to log into ur account .... if u have any idea i will appreciate it thanks

Apr 07 '25 14:04 ilyassBZ

Probably you need to pass your proxy and user agent to 2captcha.

Apr 07 '25 15:04 vladtreny

@vladtreny Can you explain your stealth config? How do it make bypass Cloudflare bot or Cloudflare turnstile?

try this one.

    let stealth = StealthPlugin()
    stealth.enabledEvasions.delete('iframe.contentWindow')
    stealth.enabledEvasions.delete('media.codecs')
    stealth.enabledEvasions.delete('user-agent-override')
    puppeteer.use(stealth)
    const browser = await puppeteer.launch({
        headless: false,
        args: [
            '--no-sandbox',
            '--disable-setuid-sandbox',
              '--window-size=1280,800',
            // '--user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
        ],
        targetFilter: (target) => {
            if (target.type() === 'browser' || target.type() === 'tab')
                return true
            return !!target.url()
        }
    })

Apr 11 '25 04:04 doanthai

@vladtreny Can you explain your stealth config? How do it make bypass Cloudflare bot or Cloudflare turnstile?

try this one.

    let stealth = StealthPlugin()
    stealth.enabledEvasions.delete('iframe.contentWindow')
    stealth.enabledEvasions.delete('media.codecs')
    stealth.enabledEvasions.delete('user-agent-override')
    puppeteer.use(stealth)
    const browser = await puppeteer.launch({
        headless: false,
        args: [
            '--no-sandbox',
            '--disable-setuid-sandbox',
              '--window-size=1280,800',
            // '--user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
        ],
        targetFilter: (target) => {
            if (target.type() === 'browser' || target.type() === 'tab')
                return true
            return !!target.url()
        }
    })

It doesn't, grok.com just decided to turn off the Cloudflare captcha again somewhere around Wed, 09 Apr 2025 21:17:09 GMT for the first 3 questions.

Apr 11 '25 18:04 jjyuhub