Powered by

# Imperva Incapsula

This document outlines technical details for our API endpoints, required parameters, and expected response formats, enabling effective navigation around Imperva (formerly known as Incapsula) security measures.

# What is Imperva (formerly Incapsula)?

Imperva's Incapsula Web Application Firewall (WAF) is a cloud-based security solution that filters and monitors HTTP/HTTPS traffic to prevent threats such as SQL injection, XSS, and DDoS attacks. It analyzes incoming requests in real-time using machine learning and threat signatures, blocking malicious requests before they impact the application. The WAF includes IP blocking, bot detection, and traffic profiling capabilities, ensuring security without disrupting legitimate traffic. Additionally, its seamless integration with existing infrastructure provides automated and tailored protection specifically designed for modern web applications.

# How Incapusla works?

Websites secured by Incapsula often employ specific cookies to validate user sessions and browser characteristics, primarily aiding in bot detection and security measures. Two such cookies are commonly used:

Incapsula-protected sites, especially those offering ticketing services, frequently rely on the reese84 cookie, which contains a secure, encrypted payload verifying the legitimacy of user sessions. This helps prevent automated scraping and unauthorized access attempts.

Another cookie, ___utmvc, is used to validate browser environment details, identifying potential inconsistencies or patterns suggestive of automated tools. Its presence is often indicative of Incapsula protection, ensuring only legitimate browser requests are granted access.

Detection of Incapsula's Web Application Firewall typically involves monitoring network requests for these cookies. Observing interstitial blocks or session challenges that require valid interactions with these cookies strongly suggests the presence of Incapsula WAF. This security layer filters out potential threats and unusual behavior by only allowing requests from recognized sessions and browsers.

Incapsula cookie example
Incapsula cookie example

Recently, the ___utmvc cookie is no longer commonly seen; instead, reese84 has become the primary cookie used for session validation on Incapsula-protected sites.

# Incapsula challenges

To detect Incapsula protection on a website, start by opening the DevTools in your browser and inspect the network requests. You’ll typically notice an initial GET request with a URL containing a random, unusual string, such as https://www.smythstoys.com/mbit-And-Dirers-him-Face-and-sure-such-Parry-qui.

This request is part of Incapsula’s verification process. After this initial GET, you’ll likely see a POST request to the same URL but with an added query parameter like: https://www.smythstoys.com/mbit-And-Dirers-him-Face-and-sure-such-Parry-qui?d=www.smythstoys.com.

Incapsula Challenge request
Incapsula Challenge request

This POST request includes a payload generated after verifying your browser environment. This interaction is designed to validate that the client is a legitimate browser, and the presence of these requests is a clear indication that Incapsula’s WAF is active on the site.

# Detecting Datadome Websites

When attempting to access a Datadome-secured website, you may receive an HTTP response with a 403 Status Code, indicating forbidden access. The response body often contains unusual HTML content, which warrants closer examination to understand the underlying security mechanism.

To detect if a website is protected by Datadome, you can check if the website returns a datadome cookie in the response headers. If the cookie is present, it indicates that Datadome's protection is active for that particular site.

:::code source="./snippets/footlocker.html" :::

# Deciphering the dd Dictionary: Challenge Type Indicator

A crucial element in navigating Datadome's security measures is the dd dictionary, which plays a key role in constructing the challenge URL. Notably, the rt value within this dictionary serves as an indicator of the upcoming challenge type. Specifically:

  • i: Signals an Interstitial challenge
  • c: Indicates a Captcha Slide challenge, requiring users to complete a sliding puzzle verification

# Bypassing Datadome Protection

Our API offers a convenient solution for overcoming Datadome's security measures, enabling seamless access to protected websites. By leveraging our API, you can automate the challenge-solving process, which in turn generates the required datadome cookie. This streamlined approach eliminates the hassle of manual verification, allowing you to efficiently access Datadome-secured websites through our simplified integration.

© Copyright 2024. All rights reserved.