{"id":454978,"date":"2025-04-07T09:00:12","date_gmt":"2025-04-07T09:00:12","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=454978"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=454978","title":{"rendered":"<span>ReCAPTCHA Enterprise Bypass: Full Review, Recognition (Bypassing) and what Captcha Solvers can Bypass it<\/span>"},"content":{"rendered":"<div><!--[--><!--]--><\/div>\n<div id=\"post-content-body\">\n<div>\n<div class=\"article-formatted-body article-formatted-body article-formatted-body_version-2\">\n<div xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\n<p>Modern services (websites) ubiquitously deploy CAPTCHAs for protection, complicating life for developers, SEO specialists, and automation engineers (although the original aim was not to frustrate automators but rather to minimize excessive load on resources from such actors). Among the multitude of CAPTCHAs, Google reCAPTCHA Enterprise stands out as one of the most advanced bot protection systems in this line-up. It is capable of analyzing user behavior and blocking suspicious activity, thereby significantly hindering the recognition of reCAPTCHA Enterprise and its automated bypass. Let\u2019s break down what reCAPTCHA Enterprise is, how it differs from versions v2\/v3, and why it is so difficult to bypass (or is it?).<\/p>\n<figure class=\"\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/habrastorage.org\/r\/w780q1\/getpro\/habr\/upload_files\/d55\/c5b\/470\/d55c5b470abfe12b8adf123e5bd65af2.jpg\" alt=\"Select all images where there is a developer\" title=\"Select all images where there is a developer\" width=\"224\" height=\"225\" data-src=\"https:\/\/habrastorage.org\/getpro\/habr\/upload_files\/d55\/c5b\/470\/d55c5b470abfe12b8adf123e5bd65af2.jpg\" data-blurred=\"true\"\/><\/p>\n<div><figcaption>Select all images where there is a developer<\/figcaption><\/div>\n<\/figure>\n<h3>What is reCAPTCHA Enterprise and How Does It Differ from v2\/v3<\/h3>\n<p><strong><br \/><\/strong>reCAPTCHA Enterprise is an enhanced version of Google\u2019s CAPTCHA, designed for large-scale projects and corporate clients with elevated security requirements. Essentially, Enterprise encompasses the functionality of both reCAPTCHA v2 and v3 but offers additional features, fine-tuning capabilities, and more powerful bot detection algorithms. For clarity, here are the main versions of reCAPTCHA and their differences:<\/p>\n<ul>\n<li>\n<p><strong>reCAPTCHA v2<\/strong>:<br \/>The classic version where the user must confirm that they are not a robot \u2013 by checking a box (\u201cI\u2019m not a robot\u201d), solving a visual puzzle (selecting images with specific objects), or passing an audio test. reCAPTCHA v2 can operate in two modes: explicit (a visible checkbox or immediately displayed images) and invisible (Invisible reCAPTCHA v2, where the CAPTCHA appears only when suspicion arises after form submission). This version directly involves the user and yields a binary outcome based on the result: CAPTCHA solved (valid token) or not.<\/p>\n<\/li>\n<li>\n<p><strong>reCAPTCHA v3<\/strong>:<br \/>An invisible version without interactive tasks for the user. The reCAPTCHA v3 script continuously runs in the background on the page, monitoring user actions (mouse movements, scrolling, time spent on the page, and other behavioral signals). Consequently, upon certain actions (e.g., form submission, login), a token is generated with a score ranging from 0.0 to 1.0 \u2013 representing the likelihood that the user is human rather than a bot. The user does nothing; what happens next depends on the developer\u2019s configuration (for example, if the score is low \u2013 an additional check might be displayed, a v2 CAPTCHA might be shown, or the action may be blocked). reCAPTCHA v3 minimizes user involvement in the recognition process for genuine users but requires proper interpretation of the score on the website\u2019s side.<\/p>\n<\/li>\n<li>\n<p><strong>reCAPTCHA Enterprise<\/strong>:<br \/>The Enterprise version can operate either in v2 mode (displaying visual challenges when necessary) or in v3 mode (behavioral scoring). For the end user, it appears similar: there is Enterprise v2 (with the \u201cI\u2019m not a robot\u201d checkbox and challenges) and Enterprise v3 (invisible). The main difference lies in the backend and the capabilities available to the website owner (or service provider). reCAPTCHA Enterprise is deployed through Google Cloud and is intended for paid business use. It offers deeper risk analysis, 11 levels of score gradation (compared to 4 levels in the free version), reason codes, integration with other security measures (e.g., WAF \u2013 web application firewall, network-level bot attack protection), reports and statistics in the Google Cloud Console, as well as support for additional signals. For example, on mobile devices, reCAPTCHA Enterprise may automatically use data from the Play Integrity API (a device integrity check) to enhance the verification reliability. Website owners can configure score thresholds, view detailed logs of challenges, and receive support from Google. Moreover, the Enterprise version comes with a guaranteed SLA (99.9% uptime) and reduced false positives due to more sophisticated algorithms and machine learning.<\/p>\n<\/li>\n<\/ul>\n<p>Another important aspect is the cost. The standard reCAPTCHA v2\/v3 used to be free for a vast number of requests (formerly up to 1 million per month), although recently Google introduced a limit of 100k free assessments per month, after which it costs $8 per 100k (for the standard reCAPTCHA). In contrast, reCAPTCHA Enterprise has recently become paid after the first 10k requests per month, at a rate of approximately $1 per 1,000 checks (with possible variations at higher volumes). Thus, websites pay for enhanced protection, while Google provides a more powerful service. For the end user, the difference is not visually obvious, but for those attempting to automate bypass, Enterprise presents a much more formidable barrier.<\/p>\n<h3>Comparison of reCAPTCHA Versions: v2, v3, and reCAPTCHA Enterprise\u00a0<\/h3>\n<p>For clarity, here is a table outlining the main characteristics of the different reCAPTCHA versions:<\/p>\n<div>\n<div class=\"table\">\n<table>\n<tbody>\n<tr>\n<td>\n<p align=\"left\"><strong>Characteristic<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>reCAPTCHA v2 (Checkbox\/Invisible)<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>reCAPTCHA v3 (Score)<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>reCAPTCHA Enterprise<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Verification Method<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Explicit verification: \u201cI\u2019m not a robot\u201d checkbox and\/or image or audio challenge. Requires user action.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Implicit verification: behavioral analysis yielding a numerical score (0.0\u20131.0). User does nothing.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Can operate as either v2 (checkbox + challenges) or v3 (invisible analysis). Uses advanced analysis algorithms.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>User Interaction<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Moderate\/High \u2013 if suspicion arises, the user must solve challenges (selecting images, etc.).<\/p>\n<\/td>\n<td>\n<p align=\"left\">None \u2013 the user typically never sees the CAPTCHA, as it runs entirely in the background.<\/p>\n<\/td>\n<td>\n<p align=\"left\">At the website\u2019s discretion: minimal (in v3 mode) or similar to v2 (if challenges are required). The threshold and challenge intensity can be configured.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Algorithms and Signals<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Basic behavioral analysis on click (mouse movement, reaction time), browser characteristics. When strongly suspicious \u2013 image challenges are shown to verify humanity.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Advanced behavioral analysis of the entire user session. May use page history, possibly cookies, etc.<\/p>\n<\/td>\n<td>\n<p align=\"left\">The most comprehensive analysis: behavior, device, browser fingerprints, historical \u201creputation\u201d data (from Google\u2019s database), additional signals (e.g., Integrity API on Android). Machine learning-based algorithms, 11-level risk gradation, and risk reasons.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Verification Outcome<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">A token (string) confirming that the user has passed the check. The website sends it to Google for verification and receives success\/failure.<\/p>\n<\/td>\n<td>\n<p align=\"left\">A token with an encoded score (0.0\u20131.0). The website sends it for verification and receives a score along with a list of flags (reasons).<\/p>\n<\/td>\n<td>\n<p align=\"left\">A token similar to v2\/v3. Upon API verification, Google returns a score (for Enterprise v3) or simply success. Additionally, reason codes and extended metrics are provided in the console.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Customization Options<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Minimal \u2013 only the widget type (checkbox or invisible), language, and theme can be chosen. The challenge logic cannot be influenced.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Only the score threshold (0.0\u20131.0) for making a decision on the site is configurable. The rest is handled by Google.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Extensive customization \u2013 threshold settings, integration with other services, choice of mode (v2 or v3), enabling MFA (additional SMS\/Email verification for Enterprise Standard), and mobile application integration via SDK.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Purpose<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Protecting forms, registrations, logins, etc. A point verification when performing a specific action.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Continuous monitoring of traffic and actions. Suitable for protecting payment pages or critical actions where the user must be preliminarily evaluated.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Protection for highly sensitive resources: banking services, major portals, APIs. Preventing fraud, script attacks, and reducing false blocks for real users. Used by large businesses willing to pay for security.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Cost to Website Owner<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Free (up to ~100k per month), then conditionally free (Standard). Limited only by the Terms of Service.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Free (within the same quota, as it is part of reCAPTCHA).<\/p>\n<\/td>\n<td>\n<p align=\"left\">Paid after 10k checks\/month. Approximately $1 per 1,000 requests above that threshold (plus a possible charge of $8 per 100k for standard, depending on the Google Cloud pricing).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Difficulty of Bypass for Bot Developers<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Relatively low. With recognition services, a solution (token) can be obtained within 10\u201330 seconds. In the case of an audio CAPTCHA, speech recognition bypass methods exist. Minimal interaction (click, token submission) is required.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Above average. It is necessary to simulate genuine behavior on the page; otherwise, the token will have a low score and the website will block the action. Often, paid APIs are used to obtain tokens with a good \u201creputation\u201d or specially trained algorithms.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Very high. In addition to solving the CAPTCHA (in v2 mode), multiple behavioral filters must be bypassed. Often proxies, full browser emulation, or the use of powerful third-party solvers are required. Even with the correct solution, the website may further analyze IP correspondence and other signals. Without specialized services, bypassing is practically impossible.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>From the table, it is evident that reCAPTCHA Enterprise is the most advanced and \u201ctoughest\u201d version to bypass. While v2 can be solved relatively easily by a human or algorithm, and v3 can be attempted to be tricked, Enterprise combines the best of both worlds and adds its own checks.<\/p>\n<h3>How to Determine if a Site Is Using reCAPTCHA Enterprise<\/h3>\n<p><strong><br \/><\/strong>Before attempting any bypass, it is important to verify that you are dealing with reCAPTCHA Enterprise and not the standard v2\/v3. Externally, an Enterprise widget might look identical to the usual reCAPTCHA, so you need to inspect the page\u2019s code and network requests. Here are some indicators that the Enterprise version is in use:<\/p>\n<figure class=\"full-width\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/habrastorage.org\/r\/w780q1\/getpro\/habr\/upload_files\/e60\/07e\/444\/e6007e444d87d69b32dd0ff87f168dfc.jpg\" width=\"620\" height=\"620\" data-src=\"https:\/\/habrastorage.org\/getpro\/habr\/upload_files\/e60\/07e\/444\/e6007e444d87d69b32dd0ff87f168dfc.jpg\" data-blurred=\"true\"\/><\/figure>\n<\/p>\n<p><strong>Included Script<\/strong>:<br \/>Open the page\u2019s HTML source code (via \u201cView Source\u201d or by pressing F12) and look for the inclusion of a JavaScript file such as <code>recaptcha\/enterprise.js<\/code> (or <code>recaptcha\/enterprise.js?onload=...<\/code>) instead of the standard <code>recaptcha\/api.js<\/code>. This is a key sign that you are dealing with Enterprise. For example:<\/p>\n<pre><code class=\"python\">&lt;script src=\"https:\/\/www.google.com\/recaptcha\/enterprise.js\" async defer&gt;&lt;\/script&gt;<\/code><\/pre>\n<ul>\n<li>\n<p>In the case of standard v2\/v3, you would see something like <code>\u2026\/recaptcha\/api.js.<\/code> Also, in Enterprise pages the object grecaptcha.enterprise is typically used instead of just grecaptcha (e.g., calls like <code>grecaptcha.enterprise.render(...)<\/code> or <code>grecaptcha.enterprise.execute(...)<\/code> clearly indicate Enterprise).<\/p>\n<\/li>\n<li>\n<p><strong>Request URLs<\/strong>:<br \/>If you open the Network tab in your developer tools and track the requests when the CAPTCHA loads, for the Enterprise version you will see URLs containing the path <code>\/recaptcha\/enterprise\/<\/code> (or the subdomain <a href=\"http:\/\/recaptchaenterprise.googleapis.com\" rel=\"noopener noreferrer nofollow\">recaptchaenterprise.googleapis.com<\/a>) \u2013 these are the endpoints of the Enterprise API. In contrast, for standard reCAPTCHA v2 you would see requests to <code>\u2026\/recaptcha\/api2\/...<\/code> (for example, <code>api2\/payload<\/code> or <code>api2\/userverify<\/code>). Thus, the presence of <code>\/enterprise<\/code> in the background request URLs is an indicator of Enterprise (visible only after reloading the page in developer mode \u2013 a minor, albeit somewhat tedious, aside).<\/p>\n<\/li>\n<li>\n<p><strong>Integration Parameters<\/strong>:<br \/>Some sites explicitly indicate the use of Enterprise in their code. For instance, there may be settings like <code>isEnterprise: true<\/code> within the CAPTCHA parameters\u2019 JavaScript object. If you have access to the source JS, search for the string \u201centerprise\u201d or method calls containing that word.<\/p>\n<\/li>\n<\/ul>\n<p><strong>Site Key<\/strong>:<br \/>Formally, the site key format is similar (usually a string starting with <code>\u201c6Lc...\u201d or \u201c6Lf...\u201d<\/code>); therefore, distinguishing Enterprise solely by the key is challenging. However, recall that Enterprise keys are issued via a Google Cloud Project and sometimes have characteristic suffixes. For example, some Enterprise site keys may end with <code>\u201c\u2026_domain-com\u201d<\/code> or similar. This is not the most reliable criterion but might work if an unusually long or clearly corporate key is visible.<\/p>\n<p>In general, if you see that the site uses the <code>enterprise.js<\/code> script and corresponding method calls, you can confidently say that it is reCAPTCHA Enterprise. Next, you need to determine which mode it operates in (v2 or v3) to choose the correct approach. A simple guideline is as follows:<\/p>\n<ul>\n<li>\n<p>If a CAPTCHA widget is visibly present on the page (checkbox \u201cI\u2019m not a robot\u201d or a CAPTCHA field), it is reCAPTCHA Enterprise v2 (visible).<\/p>\n<\/li>\n<li>\n<p>If no widget is visible but a challenge window pops up upon form submission, it is reCAPTCHA Enterprise v2 Invisible (an invisible CAPTCHA triggered by an action).<\/p>\n<\/li>\n<li>\n<p>If nothing appears visually and the action either goes through silently or is blocked, it is most likely reCAPTCHA Enterprise v3, which operates via scoring.<\/p>\n<\/li>\n<\/ul>\n<p>The recommendation here is simple \u2013 be attentive when preparing the source data for bypass!<\/p>\n<h3>How reCAPTCHA Enterprise Works (Technical Overview for easy reCAPTCHA Enterprise bypass)<\/h3>\n<\/p>\n<figure class=\"full-width\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/habrastorage.org\/r\/w780q1\/getpro\/habr\/upload_files\/662\/99d\/3c4\/66299d3c4791f211c54afb534c9e7eac.jpg\" width=\"1228\" height=\"776\" data-src=\"https:\/\/habrastorage.org\/getpro\/habr\/upload_files\/662\/99d\/3c4\/66299d3c4791f211c54afb534c9e7eac.jpg\" data-blurred=\"true\"\/><\/figure>\n<p>The internal workings of reCAPTCHA Enterprise are largely similar to the basic reCAPTCHA, but it employs a more advanced signal collection and analysis system. It is essential to understand what you are dealing with before engaging:<\/p>\n<ul>\n<li>\n<p><strong>Data Collection About the User<\/strong>:<br \/>When an Enterprise CAPTCHA loads, it immediately begins collecting information about the client. This includes standard details such as the browser\u2019s User-Agent, screen resolution, time zone, installed plugins, cookies (especially Google cookies if the user is logged into their account \u2013 which can boost trust), Canvas fingerprinting (via drawing and reading from an HTML5 canvas), WebGL fingerprinting, fonts, audio context \u2013 essentially everything that a modern fingerprinting script can collect. In addition, it tracks mouse movements, keyboard events, page scrolling, the speed and trajectory of the cursor when hovering over the CAPTCHA element, delays between events \u2013 that is, behavioral analysis. All this data is encrypted and sent to Google\u2019s servers.<\/p>\n<\/li>\n<li>\n<p><strong>Risk Assessment and Challenge Issuance<\/strong>:<br \/>On Google\u2019s side, a machine learning model\u2014trained on a vast dataset of interactions between humans and bots with reCAPTCHA\u2014analyzes these factors. For Enterprise, the model is enriched with additional signals. For example, it takes into account the reputation of the IP address (whether it is known as a source of bot traffic), the browser\u2019s history (Google may cross-reference how often CAPTCHAs have been solved with this fingerprint and whether they were successful), and the presence of suspicious patterns (such as overly fast or perfectly straight cursor movement\u2014an indicator of a robot). If it is Enterprise v2, these factors determine whether to show the user a challenge (images) or to let them pass immediately. reCAPTCHA Enterprise strives to minimize unnecessary challenges for real users; therefore, a genuine user might simply click the checkbox and immediately see a checkmark, while a bot is almost immediately presented with a complex challenge (e.g., selecting all images containing crosswalks, followed by dynamically loaded additional images until an error is made or proof of humanity is established). In the case of Enterprise v3, the model simply calculates a score from 0.0\u20131.0, where, conventionally, a score &gt;0.7 is considered human, and &lt;0.3 is considered bot (the threshold can be set by the site owner).<\/p>\n<\/li>\n<li>\n<p><strong>Additional Enterprise Checks<\/strong>:<br \/>The Enterprise version includes features not available in the free version. For instance, Account Defender\u2014if multiple Google protection products are in use on a site, their data may be combined. Enterprise can take into account password leak detection and other risk factors within the context of a particular session. Additionally, the Enterprise CAPTCHA can operate in tandem with two-factor authentication\u2014for example, if Enterprise detects risk, the site may send an SMS confirmation (this logic is implemented by the site owner, while the CAPTCHA simply provides a trigger signal). All of this raises the bar for attackers.<\/p>\n<\/li>\n<li>\n<p><strong>Token Generation<\/strong>:<br \/>When a user (or bot) interacts with an Enterprise CAPTCHA, a front-end method such as <code>grecaptcha.enterprise.execute()<\/code> or <code>grecaptcha.enterprise.getResponse()<\/code> (for v2) is called. This generates a token\u2014a very long string (usually ~500+ characters) that encodes the verification result. This token is typically placed in a hidden form field called <code>g-recaptcha-response<\/code> and then sent to the website\u2019s server.<\/p>\n<\/li>\n<li>\n<p><strong>Token Verification on the Server<\/strong>:<br \/>Upon receiving the token from the client, the website sends it to Google for verification. In the free version, the request goes to <a href=\"https:\/\/www.google.com\/recaptcha\/api\/siteverify\" rel=\"noopener noreferrer nofollow\"><code>https:\/\/www.google.com\/recaptcha\/api\/siteverify<\/code><\/a> along with a secret key. In Enterprise, the request is made through the Google Cloud API (or library) and can provide a more detailed response. For example, for Enterprise v3, in addition to the score, reason codes (explaining low scores such as Automation, SuspectedAttacker, TooFast, etc.) are returned. For Enterprise v2, the outcome is simply success\/failure, although the site owner still sees detailed statistics in the Google Console. If the token is invalid or expired, verification returns a negative result.<\/p>\n<\/li>\n<\/ul>\n<p><strong>Site Actions Based on the Outcome<\/strong>:<br \/>Based on the CAPTCHA response, the website decides whether to allow the user to proceed (if everything is in order) or to block\/show an error\/additional verification (if Google signals a bot). Enterprise provides a more confident result, so site owners can more strictly block suspicious users\u2014thus paying for fewer false positives.<\/p>\n<p>It is important to understand that a reCAPTCHA token is tied to a specific domain and is only valid for a short time (usually around 2 minutes). You cannot solve a CAPTCHA on one site and reuse the token on another\u2014it will simply fail verification. Also, note that one token is issued per attempt.<\/p>\n<p>Now it becomes clearer why Enterprise is so challenging to bypass. In summary, it not only checks whether you can solve an image challenge, but also monitors the entire context. Even if a bot manages to get the correct answer to an image (for instance, using a neural network), Enterprise may \u201csuspect\u201d something amiss based on the aggregate signals (for example, synthetic mouse movement or a browser lacking genuine cookies). Consequently, the token may either not be generated at all or, upon server verification, be found to have a low score or be marked as risky. In other words, simply solving the images is not enough \u2013 you must deceive the entire system holistically. This is the core difficulty in bypassing reCAPTCHA Enterprise.<\/p>\n<h3>Why reCAPTCHA Enterprise Bypass Is a Challenging Task<\/h3>\n<p><strong><br \/><\/strong>Based on its internal architecture, here are the key problems that bot developers face when attempting to bypass the Enterprise CAPTCHA:<\/p>\n<ul>\n<li>\n<p><strong>Enhanced Fingerprinting<\/strong>:<br \/>reCAPTCHA Enterprise gathers maximum data about your environment. Simple scripted requests (e.g., simulating a form submission via requests without a browser) fail immediately \u2013 they lack the necessary JS signals and proper cookies. Even browser emulation through headless Chrome can be detected (Google is capable of determining headless mode via indirect cues). To bypass this, one must use real browsers or well-masked headless browsers with stealth configurations so that the fingerprint appears as that of an ordinary user.<\/p>\n<\/li>\n<li>\n<p><strong>Behavioral Analysis<\/strong>:<br \/>It is not enough to simply load a page \u2013 one must behave like a human. This is critical for Enterprise v3: if a script loads the page and submits the form instantly, it is likely to receive a score of 0.1. A bot must \u201clinger\u201d on the page, move the mouse, scroll, possibly click on some elements, and generate a visible \u201chuman\u201d trail. Perfectly simulating this is challenging \u2013 it requires specialized libraries that generate random, plausible events (tools such as Puppeteer Extra Stealth or Playwright Stealth exist, which mask automation and mimic human actions).<\/p>\n<\/li>\n<li>\n<p><strong>Time Constraints<\/strong>:<br \/>The token must be obtained quickly. If you solve the CAPTCHA too slowly (several minutes), the token may expire or the site may deem the process suspicious. CAPTCHA solving services typically complete the process within ~20\u201360 seconds. When developing your own bot, you must meet these time constraints while simultaneously simulating realistic page activity \u2013 a non-trivial task.<\/p>\n<\/li>\n<li>\n<p><strong>IP and Environment Binding<\/strong>:<br \/>Enterprise may detect discrepancies \u2013 for example, if the CAPTCHA was solved from an IP address in a different country than the one from which the form is submitted. This can happen when using online services: your bot might operate from Germany while submitting the CAPTCHA solution to a server in India. The solution is received, the token is inserted, but during verification Google notices that the token was obtained from a completely different region \u2013 which is suspicious. Therefore, proxies are often required so that the CAPTCHA is solved from the same IP as the bot. This increases both complexity and cost.<\/p>\n<\/li>\n<\/ul>\n<p>Ultimately, bypassing reCAPTCHA Enterprise is a technological arms race between Google and developers. Writing a reliable script for Enterprise is extremely challenging. Specialized services and tools\u2014discussed further below\u2014are employed to achieve bypass.<\/p>\n<h3>Methods for Bypassing reCAPTCHA Enterprise (popular reCAPTCHA Enterprise solvers)<\/h3>\n<p><strong><br \/><\/strong>There are several approaches to solving the CAPTCHA, which can be broadly categorized as manual, automated, or hybrid. Here\u2019s what might work for reCAPTCHA Enterprise:<\/p>\n<ul>\n<li>\n<p><strong>Manual Bypass Method<br \/><\/strong>The \u201cmanual\u201d method involves a human participating in the CAPTCHA solving process. The most obvious approach is to solve the CAPTCHA manually. In test scenarios (e.g., QA), it might be easier for an engineer to click the widget manually. However, in the context of automation or mass bypass, this approach does not scale. Nevertheless, manual methods form the basis of many online CAPTCHA-solving services.<\/p>\n<ul>\n<li>\n<p><strong>Outsourcing to People (Human CAPTCHA Solving)<\/strong>:<br \/>There is a whole industry of services where real people solve CAPTCHAs around the clock for a small fee. You send them an image or challenge\u2014they return the answer. For reCAPTCHA Enterprise, it works as follows: a bot or script retrieves the CAPTCHA parameters (sitekey, URL, and possibly an image if already provided), sends them to the service\u2019s server, and a human operator solves the CAPTCHA and sends back the token, which the bot then uses to pass the verification. Services like <a href=\"https:\/\/2captcha.com\/\" rel=\"noopener noreferrer nofollow\">2Captcha<\/a>, <a href=\"https:\/\/rucaptcha.com\/\" rel=\"noopener noreferrer nofollow\">ruCaptcha<\/a>, <a href=\"https:\/\/solvecaptcha.com\/\" rel=\"noopener noreferrer nofollow\">SolveCaptcha<\/a>, DeathByCaptcha, etc., rely on human labor.<br \/><strong>Advantage<\/strong> \u2013 high accuracy (humans can usually handle the task), flexibility (any new Google update is still solvable by a human).<br \/><strong>Disadvantage<\/strong> \u2013 delay in solving (usually 10\u201330 seconds, though it may increase with complexity) and cost at scale. You pay per solved CAPTCHA, and even if the solution is incorrect, reputable services offer a refund for unsolvable CAPTCHAs, so you only pay for successfully solved ones.<\/p>\n<\/li>\n<li>\n<p><strong>In-House \u201cManual\u201d Solver<\/strong>:<br \/>Some companies create their own CAPTCHA-solving teams (for example, Amazon) or use crowdsourcing platforms. Essentially, this is like creating a personal version of 2Captcha. In most cases, it is more cost-effective to use an existing service; however, if a company is concerned about data leakage (if the CAPTCHA appears on internal systems), they might use their own staff. This is a specific case, and apart from Amazon, examples are few, though they certainly exist.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Automated Bypass Methods<br \/><\/strong>Automated methods attempt to solve the CAPTCHA without human intervention using algorithms, neural networks, and clever tricks. In the case of reCAPTCHA Enterprise, this is particularly challenging, but progress is ongoing. The main automated approaches include:<\/p>\n<ul>\n<li>\n<p><strong>Computer Vision for Image Solving<\/strong>:<br \/>Since reCAPTCHA v2 (and Enterprise v2) presents images, one can attempt automatic recognition. The task reduces to image classification: for example, \u201cfind all nine images that contain a traffic light.\u201d Modern CV (Computer Vision) models can detect many objects, and some companies have trained neural networks to solve typical CAPTCHA challenges. There are solvers that almost entirely recognize reCAPTCHA images without human intervention. For instance, the service SolveCaptcha markets itself as an AI solver using neural networks instead of humans. The algorithms operate very quickly (on the order of seconds or even fractions of a second) and relatively inexpensively at scale. However, there is no 100% guarantee: Google selects images designed to confuse both humans and machines (blurred images, unusual angles, multiple objects in one image). The neural network may make mistakes, and the CAPTCHA will not be considered solved. Nonetheless, the accuracy is already quite high (claims of success rates above 90+%). Automated recognition allows for high-throughput solving without delays but requires significant resources for model development and maintenance. Developers can use ready-made APIs without building their own neural networks.<\/p>\n<\/li>\n<li>\n<p><strong>Bypassing via Audio (Speech-to-Text)<\/strong>:<br \/>reCAPTCHA traditionally offers an audio CAPTCHA option for visually impaired users. One can switch to the audio version and obtain a sound file. There was even a method where this sound was sent to a speech recognition service (even Google Speech API) to retrieve text, thereby automatically solving the CAPTCHA. Of course, Google has improved its protection \u2013 adding interference, and in Enterprise the audio option is provided even less frequently. However, some bots still use this as a backup: if the visual challenge fails, try the audio route. The effectiveness of this method in modern times is debatable \u2013 modern AI for images can quite well compete with the audio method, but it should not be completely ruled out.<\/p>\n<\/li>\n<li>\n<p><strong>Emulating a \u201cProper\u201d Client<\/strong>:<br \/>This approach is more applicable to v3 bypass. The idea is that if the CAPTCHA assigns a low score to the bot, you transform the bot into a \u201chuman\u201d sufficiently to obtain a high score. How? For example, you can launch a full-fledged Chrome\/Firefox browser, load the page, and let it \u201clive\u201d under scripted control: simulate movements, possibly even actually browse the site, click on some buttons like a real user. After that, call <code>grecaptcha.enterprise.getResponse()<\/code> to obtain the token. Such a token will contain behavioral signals, increasing the chance of a decent score. Some automated solvers do exactly this \u2013 under the hood, they launch a browser (often using Chromium, the engine behind Chrome). Frameworks like Selenium WebDriver, Playwright, or Puppeteer are used to control the browser. This is hidden from the developer, but essentially your request is solved by a bot pretending to be a human. <strong>Advantage<\/strong> \u2013 no human intervention is required; <strong>Disadvantage<\/strong> \u2013 increased cost (since it requires considerable resources, cloud browsers, etc.). Nevertheless, such solutions exist for Enterprise v3. In addition, CAPTCHA-solving services often maintain their own pools of proxies and browsers \u2013 with \u201cwarmed-up\u201d sessions that might even include real Google cookies, ensuring that the request is made within a trusted context.<\/p>\n<\/li>\n<li>\n<p><strong>Exploiting Vulnerabilities or APIs<\/strong>:<br \/>In rare cases, there might be integration vulnerabilities. For example, a misconfigured site might accept unverified tokens or reuse a token. Such errors are exceptions and cannot be relied upon, especially in an Enterprise environment.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Combined Approaches<br \/><\/strong>The most effective real-world solutions combine human and machine efforts. Examples include:<\/p>\n<ul>\n<li>\n<p><strong>AI + Human (Backup)<\/strong>:<br \/>Services attempt to automate everything possible since it is cheaper and faster. For example, SolveCaptcha might first try to solve a challenge using its neural network. If confidence is insufficient or the answer fails, the CAPTCHA is then forwarded to a human. The service\u2019s user may not even notice the switch, except that the solving time might be slightly longer. Such a hybrid approach can achieve nearly 100% success while optimizing costs. In this way, machines handle routine tasks and humans tackle borderline cases.<\/p>\n<\/li>\n<li>\n<p><strong>Human + Bot (Assisted Solution)<\/strong>:<br \/>The opposite scenario: the bot-script performs everything up to the final step, and a human assists only at one stage. For example, a QA engineer may write a script that automates website testing, but when the script reaches the CAPTCHA, it pauses and waits for a human to solve it before continuing. This is applicable when the number of CAPTCHAs is small and automation of the rest is important. Essentially, it is a manual solution embedded within an automated scenario \u2013 saving time when CAPTCHAs are infrequent. In my opinion, such a solution might work for small projects and startups, but it is not viable at an industrial scale.<\/p>\n<\/li>\n<li>\n<p><strong>Using Multiple Services<\/strong>:<br \/>One combined approach for enhancing reliability is to send the request to several CAPTCHA-solving services simultaneously. For instance, using Service A (AI) and Service B (human) in parallel and taking whichever result comes first. If one fails for some reason, there is hope that the other will provide the correct answer. This increases the chance of solving it on the first try at the cost of doubling the expense for one CAPTCHA.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>In summary, in real combat scenarios, bypassing reCAPTCHA Enterprise involves comprehensive solutions \u2013 advanced algorithms combined with human intervention and robust infrastructure (browsers, proxies, sessions). In my view, before deciding whether to develop an in-house bypass or use third-party services, one must carefully calculate and understand what is cost-effective and what is not, and, naturally, compare the prices.<\/p>\n<h3>Overview of Popular Services for Solving reCAPTCHA Enterprise (reCAPTCHA Enterprise solvers)<\/h3>\n<p><strong><br \/><\/strong>Today, there are several popular services and tools on the market that offer \u201cturnkey\u201d bypass of Google reCAPTCHA Enterprise. They differ in their approaches (human or AI), pricing, and speed. Below is a comparison table of some well-known solutions:<\/p>\n<div>\n<div class=\"table\">\n<table>\n<tbody>\n<tr>\n<td>\n<p align=\"left\"><strong>Service<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>Solution Method<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>Price (reCAPTCHA Enterprise)<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>Speed<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>Features<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>2Captcha \/ ruCaptcha<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Human (crowdsourcing real people).<\/p>\n<\/td>\n<td>\n<p align=\"left\">Approximately $1.5\u20133 per 1,000 solutions (\u224865\u2013160 \u20bd per 1,000). Payment is only for successfully solved CAPTCHAs.<\/p>\n<\/td>\n<td>\n<p align=\"left\">15\u201330 seconds on average per CAPTCHA (may be longer in complex cases).<\/p>\n<\/td>\n<td>\n<p align=\"left\">One of the oldest services. Provides an API, supports multiple languages, and code examples. Requires specifying <code>enterprise=1<\/code> for Enterprise. High reliability, though operator errors can occur occasionally.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Anti-Captcha (AntiCaptcha)<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Human + elements of automation.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Approximately $5 per 1,000 (reCAPTCHA Enterprise v2\/v3). Higher than for standard reCAPTCHA.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Usually 5\u201320 seconds. The service may hold a queue upon load.<\/p>\n<\/td>\n<td>\n<p align=\"left\">A popular service with a convenient API. Claims to select the best workers for Enterprise tasks. Offers an option to specify a minimum score for v3. Also offers subscriptions for fixed monthly rates.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>SolveCaptcha<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">AI solution (own neural networks + browser infrastructure), with human backup if needed.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Very low price: $0.55 per 1,000 reCAPTCHA Enterprise solutions.<\/p>\n<\/td>\n<td>\n<p align=\"left\">5\u201310 seconds<\/p>\n<\/td>\n<td>\n<p align=\"left\">Solves multiple types of CAPTCHAs. For reCAPTCHA Enterprise, uses either its own browser engine or direct image recognition. High success rate (~97%).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>DeathByCaptcha<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Human.<\/p>\n<\/td>\n<td>\n<p align=\"left\">$2.89 per 1,000 (for reCAPTCHA v2\/v3). Claims support for Enterprise, though the price may be higher.<\/p>\n<\/td>\n<td>\n<p align=\"left\">20\u201340 seconds<\/p>\n<\/td>\n<td>\n<p align=\"left\">An older service, also oriented toward Western markets. Slightly lower price for standard CAPTCHAs, but may employ experienced workers for Enterprise tasks. The interface is somewhat outdated.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>NopeCHA<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">AI (neural network) + browser extension.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Subscription-based model, equivalent to $0.5 to $2 per 1,000 (depending on the plan).<\/p>\n<\/td>\n<td>\n<p align=\"left\">5\u201315 seconds<\/p>\n<\/td>\n<td>\n<p align=\"left\">An interesting service, mainly offering a browser extension with an AI CAPTCHA solver (with a free limit available). Less popular for direct code integration, though an API is provided. Can solve CAPTCHAs directly on the user\u2019s page.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>NextCaptcha<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Combined approach (details undisclosed, likely AI + human).<\/p>\n<\/td>\n<td>\n<p align=\"left\">Approximately $0.8 per 1,000 Enterprise (on promotion).<\/p>\n<\/td>\n<td>\n<p align=\"left\">5\u201315 seconds<\/p>\n<\/td>\n<td>\n<p align=\"left\">A new service oriented toward the bypass market in 2024+. Offers a low price and trial period. Limited information available, but declares support for reCAPTCHA Enterprise.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>Notes: The speed of solving depends on load and the specific CAPTCHA. Many services offer options to expedite solving (e.g., \u201cpriority purchase\u201d) or slightly reduce the price by accepting slower solving times (entering a slower queue). Also, note that for Enterprise CAPTCHAs, it is often necessary to provide a proxy from the same location as the user, especially when using an AI service.<\/p>\n<p>The choice of service depends on your needs: if you only need to solve a few CAPTCHAs, a difference of a few cents is not significant \u2013 2Captcha with its familiar API may suffice. However, if you are building a large-scale parser that needs to bypass tens of thousands of CAPTCHAs a day, it might be worth considering AI services like SolveCaptcha for the sake of cost efficiency and speed.<\/p>\n<h3>Step-by-Step Guide: How to reCAPTCHA Enterprise Bypass via API<\/h3>\n<p><strong><br \/><\/strong>Let\u2019s move on to a practical demonstration. Although there is a lot of text (which might not always be ideal for a Habr audience), here it is (today\u2019s menu is lean turkey, with no dramatic plot twists nonetheless).<\/p>\n<p>Suppose you have a script that must automatically navigate to a website and perform an action protected by reCAPTCHA Enterprise (for example, account registration). When the script reaches the CAPTCHA, it must solve it. We will use an external CAPTCHA solving service via its API. For this example, we will use 2Captcha (ruCaptcha) since it has a simple API and broad support, though you may substitute another service (the algorithm is similar).<\/p>\n<p><strong>Step 1: Retrieve the Site Key and Determine the CAPTCHA Type<br \/><\/strong>Typically, in the HTML code of a page with embedded reCAPTCHA, you will find an element like:<\/p>\n<pre><code class=\"python\">&lt;div class=\"g-recaptcha\" data-sitekey=\"SITE_KEY\" ...&gt;&lt;\/div&gt;<\/code><\/pre>\n<p>You need to extract the value of the data-sitekey. If it is a v3 CAPTCHA, instead of such a div you might see a call like grecaptcha.enterprise.execute(<code>site_key, {action: 'submit'}<\/code>) \u2013 in which case the site key can be found inside that call or in the script itself. Suppose we found <code>sitekey = \"6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s\"<\/code>. Also, record the page URL (e.g., <a href=\"https:\/\/target-site.com\/register\" rel=\"noopener noreferrer nofollow\"><code>https:\/\/target-site.com\/register<\/code><\/a>). We have confirmed that this is Enterprise (we see enterprise.js), and, let\u2019s say, determined it is Enterprise v2 (requires a <code>checkbox\/challenge<\/code>).<\/p>\n<p><strong>Step 2: Submit the CAPTCHA Task via the Solver\u2019s API<br \/><\/strong>Each service has its own format, but the idea is the same: you must pass at least the site key and the page URL. In 2Captcha, this is done by sending a POST request to their endpoint (<a href=\"https:\/\/2captcha.com\/in.php\" rel=\"noopener noreferrer nofollow\"><code>https:\/\/2captcha.com\/in.php<\/code><\/a>). An additional parameter <code>enterprise=1<\/code> indicates that it is an Enterprise CAPTCHA. If the CAPTCHA is invisible (i.e., no visible checkbox, only a JavaScript call), you should add <code>invisible=1<\/code> (this affects how the human solver approaches the task). Other services have similar parameters. For example, Anti-Captcha requires creating a JSON task:<\/p>\n<pre><code class=\"python\">{ \"type\": \"ReCaptchaV2EnterpriseTaskProxyless\", \"websiteURL\": \"...\", \"websiteKey\": \"...\", \"isInvisible\": false }<\/code><\/pre>\n<p>You must also specify your API key for the service, which you obtained during registration. Optionally, you may also specify a proxy for the solver to use. Many services allow you not to specify a proxy (they either don\u2019t use one or apply their own pool). However, if the site is particularly sensitive to IP, it is better to provide a proxy from a nearby location. In my example, I will not complicate things further.<\/p>\n<p><strong>Step 3: Wait for and Retrieve the Solution (Token)<br \/><\/strong>As you understand, CAPTCHA solving does not occur instantly (even though cats are born quickly, it\u2019s not immediate) \u2013 you must periodically check if an answer is available. With 2Captcha, after submitting the CAPTCHA to the queue, you will receive a CAPTCHA ID (a numeric identifier). After a short while (usually 5+ seconds), you can start sending GET requests to <a href=\"https:\/\/2captcha.com\/res.php\" rel=\"noopener noreferrer nofollow\"><code>https:\/\/2captcha.com\/res.php<\/code><\/a> with parameters: <code>key <\/code>(your API key), <code>action=get<\/code>, and id (the received ID). If the solution is not yet ready, the service will respond with <code>CAPCHA_NOT_READY<\/code>; then wait and repeat the request every 5 seconds (this interval can be adjusted at your discretion). Once the CAPTCHA is solved, you will receive a response in the form <code>OK|&lt;token&gt;<\/code>, where <code>&lt;token&gt;<\/code> is the solution string (the value to be inserted in <code>g-recaptcha-response<\/code>). In case of failure, an error such as <code>ERROR_CAPTCHA_UNSOLVABLE <\/code>may be returned (for example, if the operator could not solve it or a failure occurred). Then you must try again.<\/p>\n<p><strong>Step 4: Submit the Token to the Website and Complete the Action<br \/><\/strong>After receiving the token, your script must insert it where the website expects it. This is typically a hidden form field:<\/p>\n<pre><code class=\"python\">&lt;input type=\"hidden\" name=\"g-recaptcha-response\" value=\"&lt;TOKEN&gt;\"&gt;<\/code><\/pre>\n<p>If the interaction is via AJAX, the token is sent as a parameter. You fill in the field\/parameter with the token and re-submit the request to the website\u2019s server (for example, re-submit the registration form). On the server, the token is verified, and if all is well, the action is executed. Visually, if a user were present, the CAPTCHA would show as solved. For us, it means we have achieved the desired result automatically.<\/p>\n<p>Now, let\u2019s illustrate how this looks in code. Below are code examples in Python, PHP, and Node.js that implement the described steps using the 2Captcha API. (For other services, the code is similar; only the URLs and request formats change \u2013 refer to their documentation.)<\/p>\n<hr\/>\n<p><strong>Python Example (using requests):<\/strong><\/p>\n<pre><code class=\"python\">import requests import time  API_KEY = \"YOUR_2CAPTCHA_API_KEY\" sitekey = \"6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s\" page_url = \"https:\/\/2captcha.com\/demo\/recaptcha-v2-enterprise\"  # 1. Submit the CAPTCHA for solving data = {     'key': API_KEY,     'method': 'userrecaptcha',     'googlekey': sitekey,     'pageurl': page_url,     'enterprise': 1 } response = requests.post(\"http:\/\/2captcha.com\/in.php\", data=data) if response.text.split('|')[0] != \"OK\":     print(\"Error submitting CAPTCHA:\", response.text)     exit(1) captcha_id = response.text.split('|')[1] print(f\"CAPTCHA submitted, ID = {captcha_id}\")  # 2. Wait for the solution recaptcha_token = None for i in range(20):  # maximum wait of ~100 seconds     time.sleep(5)     res = requests.get(f\"http:\/\/2captcha.com\/res.php?key={API_KEY}&amp;action=get&amp;id={captcha_id}\")     if res.text == \"CAPCHA_NOT_READY\":         print(\"Solution not ready yet, waiting...\")         continue     if res.text.startswith(\"OK|\"):         recaptcha_token = res.text.split('|')[1]         break     else:         print(\"Error solving CAPTCHA:\", res.text)         exit(1)  if not recaptcha_token:     print(\"Failed to obtain CAPTCHA solution in time\")     exit(1)  print(\"Received reCAPTCHA token:\", recaptcha_token)  # 3. Use the received token \u2013 for example, submit a form with it. form_data = {     'username': 'testuser',     'password': '12345',     'g-recaptcha-response': recaptcha_token } final_res = requests.post(page_url, data=form_data) print(\"Form submission result:\", final_res.status_code)<\/code><\/pre>\n<p>Explanation: This code sends a request to 2Captcha to solve an Enterprise CAPTCHA with the given site key and URL, retrieves the CAPTCHA ID, polls for the result every 5 seconds, and finally obtains the token. It then simulates form submission with the token (for demonstration purposes). In reality, submitting the token might be more complex: multiple form fields, callbacks, inactive \u201cSubmit\u201d buttons, etc.<\/p>\n<hr\/>\n<p><strong>PHP Example (using cURL):<\/strong><\/p>\n<pre><code class=\"php\">&lt;?php $apiKey = \"YOUR_2CAPTCHA_API_KEY\"; $siteKey = \"6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s\"; $pageURL = \"https:\/\/2captcha.com\/demo\/recaptcha-v2-enterprise\";  \/\/ 1. Submit the CAPTCHA for solving $ch = curl_init(\"http:\/\/2captcha.com\/in.php\"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [     'key' =&gt; $apiKey,     'method' =&gt; 'userrecaptcha',     'googlekey' =&gt; $siteKey,     'pageurl' =&gt; $pageURL,     'enterprise' =&gt; 1 ]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $resp = curl_exec($ch); curl_close($ch);  if(strpos($resp, \"OK|\") !== 0) {     die(\"Submission error: $resp\"); } list(, $captchaId) = explode('|', $resp); echo \"CAPTCHA submitted, ID = $captchaId\\n\";  \/\/ 2. Wait for the solution $token = null; for($i = 0; $i &lt; 20; $i++) {     sleep(5);     $res = file_get_contents(\"http:\/\/2captcha.com\/res.php?key=$apiKey&amp;action=get&amp;id=$captchaId\");     if($res === \"CAPCHA_NOT_READY\") {         echo \"Waiting...\\n\";         continue;     } elseif(strpos($res, \"OK|\") === 0) {         $token = substr($res, 3);         break;     } else {         die(\"Error solving CAPTCHA: $res\");     } } if(!$token) {     die(\"Token not received, timeout exceeded.\"); } echo \"Token received: $token\\n\";  \/\/ 3. Use the token (e.g., send it along with other form data) $formFields = http_build_query([     'username' =&gt; 'testuser',     'password' =&gt; '12345',     'g-recaptcha-response' =&gt; $token ]); $ch = curl_init($pageURL); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $formFields); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $result = curl_exec($ch); curl_close($ch);  echo \"Server response on form submission: $result\\n\"; ?&gt;<\/code><\/pre>\n<p>Explanation: This PHP script uses cURL and file_get_contents to interact with the 2Captcha API, then conditionally submits the form with the obtained token. In practice, instead of directly posting the form, your script might continue processing the page using the same mechanism or, if browser automation is used, inject the token into the page. The principle of token transmission remains the same.<\/p>\n<hr\/>\n<p><strong>Node.js Example (using fetch API)<\/strong><\/p>\n<pre><code class=\"javascript\">const fetch = require('node-fetch');  \/\/ Install with: npm install node-fetch  const API_KEY = \"YOUR_2CAPTCHA_API_KEY\"; const siteKey = \"6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s\"; const pageUrl = \"https:\/\/2captcha.com\/demo\/recaptcha-v2-enterprise\";  async function solveRecaptcha() {     \/\/ 1. Submit the CAPTCHA task     const params = new URLSearchParams();     params.append('key', API_KEY);     params.append('method', 'userrecaptcha');     params.append('googlekey', siteKey);     params.append('pageurl', pageUrl);     params.append('enterprise', '1');      let resp = await fetch('http:\/\/2captcha.com\/in.php', {         method: 'POST',         body: params     });     let text = await resp.text();     if (!text.startsWith('OK|')) {         throw new Error(`Submission error: ${text}`);     }     const captchaId = text.split('|')[1];     console.log(`CAPTCHA submitted, ID = ${captchaId}`);      \/\/ 2. Wait for the result     let token = null;     for (let i = 0; i &lt; 20; i++) {         await new Promise(res =&gt; setTimeout(res, 5000));         let resResp = await fetch(`http:\/\/2captcha.com\/res.php?key=${API_KEY}&amp;action=get&amp;id=${captchaId}`);         let resText = await resResp.text();         if (resText === 'CAPCHA_NOT_READY') {             console.log(\"Waiting for solution...\");             continue;         }         if (resText.startsWith('OK|')) {             token = resText.split('|')[1];             break;         } else {             throw new Error(`Error solving CAPTCHA: ${resText}`);         }     }     if (!token) {         throw new Error(\"Token not received within the allotted time.\");     }     console.log(\"Token received:\", token);      \/\/ 3. Use the token (e.g., send a POST request with the token)     const formParams = new URLSearchParams();     formParams.append('username', 'testuser');     formParams.append('password', '12345');     formParams.append('g-recaptcha-response', token);      let finalResp = await fetch(pageUrl, {         method: 'POST',         body: formParams     });     console.log(\"Form submission result:\", finalResp.status); }  solveRecaptcha().catch(err =&gt; {     console.error(err); });<\/code><\/pre>\n<p>Explanation: In this Node.js example, we use <code>node-fetch<\/code> for HTTP requests. The script submits the task, waits in intervals for the result, obtains the token, and then performs a final POST with that token. Note that <code>node-fetch<\/code> is asynchronous, so async\/await is used. This \u201craw\u201d approach demonstrates the concept clearly, though for a production environment, using an official SDK (such as the <a href=\"https:\/\/www.npmjs.com\/package\/2captcha\" rel=\"noopener noreferrer nofollow\">2captcha package on npm<\/a>) might be more convenient.<\/p>\n<hr\/>\n<h3>Integration Tips for reCAPTCHA Enterprise Bypass<\/h3>\n<p><strong>Correct Insertion of the Token<\/strong>:<br \/>If you are controlling a browser (Selenium, Puppeteer, etc.), after receiving the token you should execute JavaScript on the page:<\/p>\n<pre><code class=\"javascript\">document.querySelector('[name=\"g-recaptcha-response\"]').value = token;<\/code><\/pre>\n<ul>\n<li>\n<p>(or use <code>executeScript<\/code>). Some sites might also expect the token in a specific JS variable \u2013 in the case of reCAPTCHA, the hidden field is usually sufficient.<\/p>\n<\/li>\n<li>\n<p><strong>Be Aware of Token Expiry<\/strong>:<br \/>A token is valid for a limited time (~120 seconds). Therefore, once obtained, use it immediately. Do not request a solution too early before you are ready to submit the form.<\/p>\n<\/li>\n<li>\n<p><strong>One Solution \u2013 One Token<\/strong>:<br \/>A token cannot be reused. If you need to pass the CAPTCHA again, you must solve it anew.<\/p>\n<\/li>\n<\/ul>\n<h3>Recommendations for Error Handling and Optimization when you working with reCAPTCHA Enterprise solver<\/h3>\n<p>When solving CAPTCHAs via API services, it is crucial to handle various errors correctly so that your script remains reliable and does not hang. Here are some suggestions:<\/p>\n<ul>\n<li>\n<p><strong>Balance and Quota Checks<\/strong>:<br \/>Before sending a CAPTCHA to the service, ensure that your account has sufficient funds (most services offer an API method to check the balance or you can verify in the control panel). If the balance is zero, you might receive an error such as <code>ERROR_ZERO_BALANCE<\/code>. Account for such responses and program your script to handle them (e.g., via notifications or switching to a backup service) so that it does not simply stop working.<\/p>\n<\/li>\n<li>\n<p><strong>API Error Handling<\/strong>:<br \/>Various errors can occur \u2013 an incorrect API key (<code>ERROR_WRONG_USER_KEY<\/code>), wrong parameters (<code>ERROR_WRONG_SITEKEY <\/code>or <code>ERROR_BAD_PARAMETERS<\/code>), exceeding the request limit (<code>ERROR_TOO_MUCH_REQUESTS<\/code>), etc. The full list is typically provided in the documentation. As soon as you receive a response that does not begin with <code>OK|<\/code> or <code>CAPCHA_NOT_READY<\/code>, log or handle it according to the error type. Some errors are temporary (e.g., <code>ERROR_TIMEOUT <\/code>\u2013 the service did not solve the CAPTCHA within the allotted time; you can try resubmitting), while others are fatal (incorrect API key \u2013 only fixable by adjusting settings). It is best to program the script with multiple error-handling scenarios.<\/p>\n<\/li>\n<li>\n<p><strong>Repeating the CAPTCHA Solution<\/strong>:<br \/>If the service returns <code>ERROR_CAPTCHA_UNSOLVABLE<\/code>, it means that two or three different workers have attempted but failed to solve it. This might occur due to overly complex images or if Google continuously rejects the attempts. In such cases, you may try submitting the same CAPTCHA again (with a new ID) \u2013 often the reattempt succeeds because a different worker is assigned or the images reload. However, do not retry indefinitely (usually 1\u20132 retries are sufficient). If it still fails, the problem might lie with the challenge itself \u2013 perhaps the site requires additional data (such as parameter s), or your IP is banned. In such a case, it is time to re-examine your approach.<\/p>\n<\/li>\n<\/ul>\n<p><strong>Parameter s \/ data-s<\/strong>:<br \/>For reCAPTCHA Enterprise v2, sometimes the site uses an additional parameter s \u2013 an encrypted string generated by the site and tied to a specific session or action. It may appear in the site\u2019s code, for example, in a call like:<\/p>\n<pre><code class=\"python\">grecaptcha.enterprise.render(..., {'sitekey':..., 's': '&lt;long_str&gt;'});<\/code><\/pre>\n<ul>\n<li>\n<p>If you see such a parameter, you must pass it to the solver. 2Captcha\/Anti-Captcha, for example, allow this \u2013 by adding a parameter <code>data-s=&lt;value&gt;<\/code>. This parameter is often used when Google recommends that the site enable a browser check\/snippet to enhance security. Without it, your token might not be accepted. Therefore, closely examine the HTML for any hidden field <code>data-s<\/code> or similar.<\/p>\n<\/li>\n<li>\n<p><strong>Optimizing Parallelism<\/strong>:<br \/>If your script is solving multiple CAPTCHAs simultaneously rather than sequentially, you can send tasks in parallel and handle the results concurrently. Most services allow dozens of simultaneous tasks from one account. The key is not to poll too frequently for each result. For instance, if you have 50 tasks, do not send 50*20 = 1000 status requests every second \u2013 it is counterproductive. Instead, use pauses of 5\u201310 seconds, possibly batching requests. Anti-Captcha, for example, has a JSON API that allows querying multiple task statuses in a single call \u2013 reducing load and speeding up result collection.<\/p>\n<\/li>\n<li>\n<p><strong>Using Multiple Services<\/strong>:<br \/>For critical scenarios, consider having a backup option. For example, if no response is received from Service A within X seconds, try submitting to Service B in parallel. Or, upon receiving a specific error, switch to another provider. This adds complexity (you have to support multiple APIs) but increases reliability. In most cases, however, one well-established solver is sufficient.<\/p>\n<\/li>\n<li>\n<p><strong>Caching and Reusing Sessions<\/strong>:<br \/>This advice is more about reducing the number of CAPTCHAs rather than speeding up solving. If you control the browser, try to use session cookies. For example, when parsing a site, log in and preserve cookies \u2013 perhaps with a logged-in account or after one successfully solved CAPTCHA, Google may continue to assign a high score without further challenges. This is especially relevant for v3 \u2013 where you can \u201cwarm up\u201d a session. For v2 Enterprise, if a user has passed one CAPTCHA, Google might not issue a new one for some time on the same site. Therefore, if possible, store the context (Google\u2019s cookie SID and the site cookies) between requests so that you do not start \u201cfrom scratch\u201d each time.<\/p>\n<\/li>\n<li>\n<p><strong>Rate Limiting Requests<\/strong>:<br \/>If your script performs actions en masse on a site, remember that triggering CAPTCHAs can be a reaction to frequent requests. For example, Google might increase CAPTCHA difficulty if it detects suspicious traffic. Sometimes, slightly reducing the parsing speed (adding short delays between page requests) can decrease the frequency of CAPTCHA appearances \u2013 saving both money and time. It\u2019s a balance: faster scraping means more CAPTCHA costs.<\/p>\n<\/li>\n<li>\n<p><strong>Logging All Events<\/strong>:<br \/>Implement robust logging: record when you submit a task to the solver, the task ID, the service\u2019s response, the waiting time, and the final outcome. This helps diagnose issues when they arise. For example, you may notice that during certain hours, solving takes longer (perhaps due to service overload \u2013 then dynamically switch to an alternative service or increase timeout). Or, for a specific site, you consistently receive <code>ERROR_UNSOLVABLE <\/code>\u2013 indicating that the site might be employing additional anti-bot measures beyond reCAPTCHA, warranting further investigation.<\/p>\n<\/li>\n<\/ul>\n<p><strong>In Summary<br \/><\/strong>reCAPTCHA Enterprise is a powerful anti-automation tool, but it is not insurmountable. Bypassing reCAPTCHA Enterprise is possible, but it requires a comprehensive approach. It is not something that can be defeated by a simple ten-line script. You must use the right tools (CAPTCHA solving services, proxies, browser emulation) and account for numerous details.<\/p>\n<p>Remember the balance: as protection becomes smarter, so do the solutions. Nonetheless, the basic principles remain the same: analyze how you are being detected and mimic a normal user closely enough to succeed.<\/p>\n<p>I hope this detailed breakdown helps you understand what lies behind reCAPTCHA Enterprise and how to deal with it. Happy automating without obstacles!<\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<p><!----><!----><\/div>\n<p><!----><!----><br \/> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"https:\/\/habr.com\/ru\/articles\/898198\/\"> https:\/\/habr.com\/ru\/articles\/898198\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div><!--[--><!--]--><\/div>\n<div id=\"post-content-body\">\n<div>\n<div class=\"article-formatted-body article-formatted-body article-formatted-body_version-2\">\n<div xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\">\n<p>Modern services (websites) ubiquitously deploy CAPTCHAs for protection, complicating life for developers, SEO specialists, and automation engineers (although the original aim was not to frustrate automators but rather to minimize excessive load on resources from such actors). Among the multitude of CAPTCHAs, Google reCAPTCHA Enterprise stands out as one of the most advanced bot protection systems in this line-up. It is capable of analyzing user behavior and blocking suspicious activity, thereby significantly hindering the recognition of reCAPTCHA Enterprise and its automated bypass. Let\u2019s break down what reCAPTCHA Enterprise is, how it differs from versions v2\/v3, and why it is so difficult to bypass (or is it?).<\/p>\n<figure class=\"\">\n<div><figcaption>Select all images where there is a developer<\/figcaption><\/div>\n<\/figure>\n<h3>What is reCAPTCHA Enterprise and How Does It Differ from v2\/v3<\/h3>\n<p><strong><br \/><\/strong>reCAPTCHA Enterprise is an enhanced version of Google\u2019s CAPTCHA, designed for large-scale projects and corporate clients with elevated security requirements. Essentially, Enterprise encompasses the functionality of both reCAPTCHA v2 and v3 but offers additional features, fine-tuning capabilities, and more powerful bot detection algorithms. For clarity, here are the main versions of reCAPTCHA and their differences:<\/p>\n<ul>\n<li>\n<p><strong>reCAPTCHA v2<\/strong>:<br \/>The classic version where the user must confirm that they are not a robot \u2013 by checking a box (\u201cI\u2019m not a robot\u201d), solving a visual puzzle (selecting images with specific objects), or passing an audio test. reCAPTCHA v2 can operate in two modes: explicit (a visible checkbox or immediately displayed images) and invisible (Invisible reCAPTCHA v2, where the CAPTCHA appears only when suspicion arises after form submission). This version directly involves the user and yields a binary outcome based on the result: CAPTCHA solved (valid token) or not.<\/p>\n<\/li>\n<li>\n<p><strong>reCAPTCHA v3<\/strong>:<br \/>An invisible version without interactive tasks for the user. The reCAPTCHA v3 script continuously runs in the background on the page, monitoring user actions (mouse movements, scrolling, time spent on the page, and other behavioral signals). Consequently, upon certain actions (e.g., form submission, login), a token is generated with a score ranging from 0.0 to 1.0 \u2013 representing the likelihood that the user is human rather than a bot. The user does nothing; what happens next depends on the developer\u2019s configuration (for example, if the score is low \u2013 an additional check might be displayed, a v2 CAPTCHA might be shown, or the action may be blocked). reCAPTCHA v3 minimizes user involvement in the recognition process for genuine users but requires proper interpretation of the score on the website\u2019s side.<\/p>\n<\/li>\n<li>\n<p><strong>reCAPTCHA Enterprise<\/strong>:<br \/>The Enterprise version can operate either in v2 mode (displaying visual challenges when necessary) or in v3 mode (behavioral scoring). For the end user, it appears similar: there is Enterprise v2 (with the \u201cI\u2019m not a robot\u201d checkbox and challenges) and Enterprise v3 (invisible). The main difference lies in the backend and the capabilities available to the website owner (or service provider). reCAPTCHA Enterprise is deployed through Google Cloud and is intended for paid business use. It offers deeper risk analysis, 11 levels of score gradation (compared to 4 levels in the free version), reason codes, integration with other security measures (e.g., WAF \u2013 web application firewall, network-level bot attack protection), reports and statistics in the Google Cloud Console, as well as support for additional signals. For example, on mobile devices, reCAPTCHA Enterprise may automatically use data from the Play Integrity API (a device integrity check) to enhance the verification reliability. Website owners can configure score thresholds, view detailed logs of challenges, and receive support from Google. Moreover, the Enterprise version comes with a guaranteed SLA (99.9% uptime) and reduced false positives due to more sophisticated algorithms and machine learning.<\/p>\n<\/li>\n<\/ul>\n<p>Another important aspect is the cost. The standard reCAPTCHA v2\/v3 used to be free for a vast number of requests (formerly up to 1 million per month), although recently Google introduced a limit of 100k free assessments per month, after which it costs $8 per 100k (for the standard reCAPTCHA). In contrast, reCAPTCHA Enterprise has recently become paid after the first 10k requests per month, at a rate of approximately $1 per 1,000 checks (with possible variations at higher volumes). Thus, websites pay for enhanced protection, while Google provides a more powerful service. For the end user, the difference is not visually obvious, but for those attempting to automate bypass, Enterprise presents a much more formidable barrier.<\/p>\n<h3>Comparison of reCAPTCHA Versions: v2, v3, and reCAPTCHA Enterprise\u00a0<\/h3>\n<p>For clarity, here is a table outlining the main characteristics of the different reCAPTCHA versions:<\/p>\n<div>\n<div class=\"table\">\n<table>\n<tbody>\n<tr>\n<td>\n<p align=\"left\"><strong>Characteristic<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>reCAPTCHA v2 (Checkbox\/Invisible)<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>reCAPTCHA v3 (Score)<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\"><strong>reCAPTCHA Enterprise<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Verification Method<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Explicit verification: \u201cI\u2019m not a robot\u201d checkbox and\/or image or audio challenge. Requires user action.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Implicit verification: behavioral analysis yielding a numerical score (0.0\u20131.0). User does nothing.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Can operate as either v2 (checkbox + challenges) or v3 (invisible analysis). Uses advanced analysis algorithms.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>User Interaction<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Moderate\/High \u2013 if suspicion arises, the user must solve challenges (selecting images, etc.).<\/p>\n<\/td>\n<td>\n<p align=\"left\">None \u2013 the user typically never sees the CAPTCHA, as it runs entirely in the background.<\/p>\n<\/td>\n<td>\n<p align=\"left\">At the website\u2019s discretion: minimal (in v3 mode) or similar to v2 (if challenges are required). The threshold and challenge intensity can be configured.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Algorithms and Signals<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Basic behavioral analysis on click (mouse movement, reaction time), browser characteristics. When strongly suspicious \u2013 image challenges are shown to verify humanity.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Advanced behavioral analysis of the entire user session. May use page history, possibly cookies, etc.<\/p>\n<\/td>\n<td>\n<p align=\"left\">The most comprehensive analysis: behavior, device, browser fingerprints, historical \u201creputation\u201d data (from Google\u2019s database), additional signals (e.g., Integrity API on Android). Machine learning-based algorithms, 11-level risk gradation, and risk reasons.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Verification Outcome<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">A token (string) confirming that the user has passed the check. The website sends it to Google for verification and receives success\/failure.<\/p>\n<\/td>\n<td>\n<p align=\"left\">A token with an encoded score (0.0\u20131.0). The website sends it for verification and receives a score along with a list of flags (reasons).<\/p>\n<\/td>\n<td>\n<p align=\"left\">A token similar to v2\/v3. Upon API verification, Google returns a score (for Enterprise v3) or simply success. Additionally, reason codes and extended metrics are provided in the console.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Customization Options<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Minimal \u2013 only the widget type (checkbox or invisible), language, and theme can be chosen. The challenge logic cannot be influenced.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Only the score threshold (0.0\u20131.0) for making a decision on the site is configurable. The rest is handled by Google.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Extensive customization \u2013 threshold settings, integration with other services, choice of mode (v2 or v3), enabling MFA (additional SMS\/Email verification for Enterprise Standard), and mobile application integration via SDK.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Purpose<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Protecting forms, registrations, logins, etc. A point verification when performing a specific action.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Continuous monitoring of traffic and actions. Suitable for protecting payment pages or critical actions where the user must be preliminarily evaluated.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Protection for highly sensitive resources: banking services, major portals, APIs. Preventing fraud, script attacks, and reducing false blocks for real users. Used by large businesses willing to pay for security.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Cost to Website Owner<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Free (up to ~100k per month), then conditionally free (Standard). Limited only by the Terms of Service.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Free (within the same quota, as it is part of reCAPTCHA).<\/p>\n<\/td>\n<td>\n<p align=\"left\">Paid after 10k checks\/month. Approximately $1 per 1,000 requests above that threshold (plus a possible charge of $8 per 100k for standard, depending on the Google Cloud pricing).<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p align=\"left\"><strong>Difficulty of Bypass for Bot Developers<\/strong><\/p>\n<\/td>\n<td>\n<p align=\"left\">Relatively low. With recognition services, a solution (token) can be obtained within 10\u201330 seconds. In the case of an audio CAPTCHA, speech recognition bypass methods exist. Minimal interaction (click, token submission) is required.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Above average. It is necessary to simulate genuine behavior on the page; otherwise, the token will have a low score and the website will block the action. Often, paid APIs are used to obtain tokens with a good \u201creputation\u201d or specially trained algorithms.<\/p>\n<\/td>\n<td>\n<p align=\"left\">Very high. In addition to solving the CAPTCHA (in v2 mode), multiple behavioral filters must be bypassed. Often proxies, full browser emulation, or the use of powerful third-party solvers are required. Even with the correct solution, the website may further analyze IP correspondence and other signals. Without specialized services, bypassing is practically impossible.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>From the table, it is evident that reCAPTCHA Enterprise is the most advanced and \u201ctoughest\u201d version to bypass. While v2 can be solved relatively easily by a human or algorithm, and v3 can be attempted to be tricked, Enterprise combines the best of both worlds and adds its own checks.<\/p>\n<h3>How to Determine if a Site Is Using reCAPTCHA Enterprise<\/h3>\n<p><strong><br \/><\/strong>Before attempting any bypass, it is important to verify that you are dealing with reCAPTCHA Enterprise and not the standard v2\/v3. Externally, an Enterprise widget might look identical to the usual reCAPTCHA, so you need to inspect the page\u2019s code and network requests. Here are some indicators that the Enterprise version is in use:<\/p>\n<figure class=\"full-width\"><\/figure>\n<\/p>\n<p><strong>Included Script<\/strong>:<br \/>Open the page\u2019s HTML source code (via \u201cView Source\u201d or by pressing F12) and look for the inclusion of a JavaScript file such as <code>recaptcha\/enterprise.js<\/code> (or <code>recaptcha\/enterprise.js?onload=...<\/code>) instead of the standard <code>recaptcha\/api.js<\/code>. This is a key sign that you are dealing with Enterprise. For example:<\/p>\n<pre><code class=\"python\">&lt;script src=\"https:\/\/www.google.com\/recaptcha\/enterprise.js\" async defer&gt;&lt;\/script&gt;<\/code><\/pre>\n<ul>\n<li>\n<p>In the case of standard v2\/v3, you would see something like <code>\u2026\/recap<\/code><\/p>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-454978","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/454978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=454978"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/454978\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=454978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=454978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=454978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}