0

I want to make hcaptcha solver Chrome extension. I am successfully using some api to solve captchas, find data-sitekey and another params.

But exactly on Hcaptcha's site there is a block that I currently can't bypass.

It overrides (with obfuscation) XMLHttpRequest and, in particular, send method allowing requests only to some domains, and I, obviously need to send request to custom domain, so when I try to do that, it throws an exception.

My try

In extension I have two files - content.js and inject.js.

content.js just injecting inject.js before page loads:

function injectScript() {
var s = document.createElement('script');
s.setAttribute("charset", "UTF-8");
s.src = chrome.runtime.getURL('inject.js');
s.onload = function() {
    //this.remove();
};
(document.head || document.documentElement).prepend(s);
}
injectScript();

In inject.js there is an interval that tries to find and parse captcha's data need to solve it, and after parse send to solver server via Ajax request.

I tried different methods, adding at the beginning of inject.js:

  1. Variable that contains yet indeed original XMLHttpRequest - var dihdkn278dm = XMLHttpRequest and then creating not XMLHttpRequest but dihdkn278dm object;
  2. Variable that contains yet indeed original XMLHttpRequest object - var dihdkn278dm = new XMLHttpRequest() and then instead of creating request object use it;
  3. Variable that contains XMLHttpRequest send function (yes just native code).

However, when it comes to call send in the code, it is already overwritten.

Ideas how to bypass it? Only inspect obfuscated code?

*fetch also overridden

bcubeu26dncs
  • 93
  • 7
  • Send a message to your content script ([example](https://stackoverflow.com/a/19312198)) which will call fetch/XMLHttpRequest, then send a message with the result. Content scripts are isolated so these will be the original builtins. – wOxxOm Dec 26 '21 at 11:16
  • @wOxxOm, yeah, thought about this – bcubeu26dncs Dec 27 '21 at 13:14

0 Answers0