[How to Identify Different CAPTCHA Types]

How to Identify Different CAPTCHA Types

Please review the terms of use for the content provided on this website

What is CAPTCHA

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a technology designed to secure websites. It protects against spam, data theft, DDoS attacks, and other malicious automated actions.

CAPTCHAs are constantly updated and improved to further hinder potentially dangerous scripts. To verify website visitors and determine if they are humans or bots, developers create various testing methods and entire systems for data protection. Users may be prompted to enter text, select images, solve a puzzle, or recognize distorted audio. Modern technologies also strive to minimize inconvenience for real users by allowing background checks that require no actions and activating only when suspicious automation use is detected.

This article will help you identify CAPTCHA types and understand their basic mechanisms by locating specific elements in HTML code. So, let’s get started!

Get started now and automate your solution hCaptcha

Start now Demo

How Do CAPTCHAs Work

CAPTCHA is a great way to maintain security on websites. The general stages of these protection systems on target sites include:

Task Generation: CAPTCHA generates a task to solve. This might be distorted text, image selection, audio, or an interactive element like a slider. To make it harder for bots, text may be distorted, and audio may be cluttered with noise.
CAPTCHA Element on Page: CAPTCHA is added as a visible element, such as a text field, image, or slider. Some CAPTCHAs, like Google reCAPTCHA, load scripts from servers for real-time display.
User Interaction: The user interacts with the CAPTCHA by entering text, selecting images, or moving a slider. When the task is completed, the response is sent to the server for verification.
Verification: The server checks the response for accuracy and compliance. Modern CAPTCHAs also analyze user behavior, such as request frequency, JavaScript usage, mouse movements, and text input patterns.
Outcome:
- Success: If the response is correct or behavior appears natural, access is granted.
- Failure: If the response is incorrect or behavior seems suspicious, CAPTCHA may request a retry or block access.

Protection System Check Methods

Bot developers are also evolving, and simple text CAPTCHAs may no longer be effective in distinguishing real users from automated systems. Modern technologies continuously develop more complex and combined website protection methods. Let's go over some of these:

HTTP Request and Response Analysis
- Request and response headers are analyzed: User-Agent, Referer, Accept-Language, and Cookies. The absence of standard values may indicate automation.
- Parameters in URLs and POST requests are checked for suspicious or non-standard values.
- Request frequency from a single IP is measured. High frequency may suggest bot activity.
- Presence and validity of cookies are checked to identify sessions and prevent repeated attacks.
TCP/IP Analysis
- TCP session setup and breakdown characteristics are analyzed – connection times, request frequency, and delays. Bots may exhibit unusual behavior compared to real users.
- Packet transmission patterns are examined for recurring patterns or atypical delays, which may suggest automation.
TLS Session Analysis
- Certificates are checked for suspicious or fake ones. Unusual values in certificates may indicate an attempt to bypass protection.
- Encryption usage and data decoding processes are evaluated (bots may struggle with encryption handling).
Device Fingerprinting
- Browser profiling: Data such as browser version, plugins, fonts, and JavaScript settings are collected to distinguish real users from bots.
- Device characteristics are analyzed: screen resolution, OS settings, and device type. Bots often use virtual or unusual devices.
- User behavior is evaluated: mouse movement, typing speed, and interaction frequency.

How to Identify the Name and Type of Any CAPTCHA

Users often encounter CAPTCHA on certain sites but may not know what kind it is. To determine the type, use the Developer Tools (DevTools) and follow these steps:

Open DevTools: Press Ctrl+Shift+I (or Cmd+Option+I on Mac) or right-click on the page and select “Inspect” (or equivalent).
Go to the Elements Tab: This tab displays the page's HTML code. Use it to locate the CAPTCHA element.
Find the CAPTCHA Element: Click on the element selection icon (it looks like an arrow in the top-left corner of DevTools) and select the CAPTCHA on the page to highlight the corresponding HTML code.
Inspect HTML and Attributes: Check the HTML code of the highlighted element. CAPTCHA may have unique identifiers or classes to help identify its type (e.g., class="g-recaptcha" for Google reCAPTCHA).
Go to the Network Tab and Refresh if Needed: Here, you can see all network requests related to the CAPTCHA. Look for API or script requests that provide clues.
Find Scripts in the Sources or Network Tab: Identify scripts that load or initialize CAPTCHA, which may give additional information about its type and source.

Types of CAPTCHA Supported by CapMonster Cloud and How to Identify Them

For people, solving CAPTCHA is usually easy, but it can be a serious barrier for bots. Although many automated systems are used for non-malicious purposes, like site testing, safe scraping, and automating routine tasks, protection mechanisms can still slow down and complicate their operation. CAPTCHA bypass requires considerable effort and time to adapt code. The CapMonster Cloud service simplifies this process, offering solutions for most popular CAPTCHA types:

reCAPTCHA v2, v3, Invisible, Enterprise
hCaptcha
GeeTest
Cloudflare Turnstile and Challenge
Text CAPTCHA
DataDome
TenDI
Amazon CAPTCHA and Challenge

To send a CAPTCHA-solving task to CapMonster Cloud, it is essential to know its type and exact version. Let's take a closer look at each CAPTCHA type, its features, and how to find its identification data to help you quickly identify any CAPTCHA and successfully solve it with CapMonster Cloud!

reCAPTCHA

reCAPTCHA is developed by Google and uses a combination of browser history analysis, user behavior, IP address, and other indicators to distinguish humans from bots. If reCAPTCHA detects anything suspicious, it may ask the user to confirm their “humanity.” The main versions of reCAPTCHA are:

reCAPTCHA v2: This involves checking a box labeled "I'm not a robot" or completing a task, like selecting images with a particular object (motorcycles, cars, traffic lights, etc.). An audio CAPTCHA may also be offered.
reCAPTCHA v3: This version requires no user interaction. It analyzes user behavior on the page and assigns a score (1.0 – likely a real visitor, 0.0 – likely a bot). Low scores may trigger additional checks.
Invisible reCAPTCHA: Part of v2 but without a visible checkbox. Like v3, it runs in the background and prompts user interaction only when suspicious behavior is detected.
reCAPTCHA Enterprise: An advanced version for website protection.

How to Distinguish reCAPTCHA v2 Invisible from reCAPTCHA v3 and Enterprise

Visible reCAPTCHA v2 can be identified by the checkbox and task prompts. Invisible CAPTCHAs can be distinguished by the following characteristics: reCAPTCHA v2 Invisible has elements with data-sitekey and data-callback attributes.

reCAPTCHA v3 – in the Network tab, you can see a request with the keyword "render":

reCAPTCHA Enterprise (the same for versions 2 and 3) can be identified by the keyword “enterprise,” for example, in the requests.

hCaptcha

hCaptcha is similar to reCAPTCHA, but it is more privacy-focused. This popular service also offers several methods for user verification. Primarily, it involves selecting certain objects in images; however, some tasks can be challenging not only for bots but also for real website visitors.

Types of hCaptcha

hCaptcha Checkbox: The most common type of hCaptcha, similar to the reCAPTCHA v2 Checkbox. The user sees a checkbox with the label "I'm not a robot" and needs to tick it. If all goes well, this action alone may allow the user to continue using the website. However, if the system suspects automated behavior, it may prompt the user to complete an additional task, such as selecting certain objects.
hCaptcha Invisible: This type operates in the background, requiring no user actions unless automated behavior is suspected. If the system detects a potential threat, it may display a CAPTCHA. In most cases, it is not visible on the site at all.
hCaptcha Enterprise: Provides advanced integration options for corporate systems with high-security requirements. It features more flexible verification settings, the ability to adapt to various usage scenarios, and also supports analytics and reporting.

How to Distinguish hCaptcha Types

hCaptcha Checkbox: This type is easy to identify by the visible checkbox on the page. It includes a <div> element with classes that contain the words h-captcha or hcaptcha-checkbox.

hCaptcha Invisible can be identified by the keyword “invisible” in requests or among the elements.

hCaptcha Enterprise may look like a regular CAPTCHA, but it usually includes more complex and multi-level tasks. Its code (which appears more extensive compared to regular hCaptcha) contains hidden additional settings and enhanced security parameters.

GeeTest

GeeTest offers interactive puzzles, such as selecting certain objects in a specific order, solving a puzzle by moving a slider, or simply clicking in a designated area. GeeTest uses adaptive technologies to minimize inconvenience for real users while increasing difficulty for automated systems.

This type of CAPTCHA comes in two versions: v3 and v4 (Adaptive CAPTCHA). The fourth version features greater flexibility, automatically adjusting the difficulty of the task. For real users, the CAPTCHA remains simple and easily solvable, but if the system suspects automation, the difficulty level will increase accordingly. Like many other CAPTCHA types, it also has an audio mode for alternative completion.

GeeTest v3

This version supports several CAPTCHA modes: Intelligent mode, Slide CAPTCHA, Icon CAPTCHA, and Space CAPTCHA.

GeeTest v4

Similar to the third version, it also has several main completion modes: Slide CAPTCHA, Icon CAPTCHA, IconCrush CAPTCHA, Image CAPTCHA, Gobang CAPTCHA, and NoCAPTCHA.

NoCAPTCHA is the simplest mode, where the user is required only to click the “Click to verify” button. If the user’s “humanity” is confirmed during the background check, a “Verification Success” message appears.

Differences Between v3 and v4:

You can distinguish the GeeTest versions using Developer Tools based on the following parameters:

v3:
- Uses two key parameters for initialization: gt (GeeTest ID) and challenge (unique session identifier).
- The script for version 3 is often loaded from URLs containing the path /gt.js.
- Sends requests to the server with addresses containing /validate.php or /get.php.

In version 4, the script can be loaded from paths containing v4; instead of gt, captcha_id is used.

Cloudflare Turnstile and Challenge

Cloudflare offers an alternative to CAPTCHA with task-based verification. The verification can be completed by clicking the “Verify you are human” button or running in the background based on browser settings, user behavior, and network data. If a visitor successfully passes the verification, their request will be processed. If not, the request will be blocked. There are two mechanisms for this type of CAPTCHA: Turnstile and Challenge page.

Turnstile

The Turnstile widget is integrated into the site where protection is needed. The types of Turnstile widgets include:

Non-interactive verification: No user action is required; it checks signals from the browser and device to identify bots.
Non-intrusive interactive verification: Requires minimal interaction (e.g., checking a box) if there are suspicions of automated actions.
Invisible browser verification: Works in the background without any visual elements for the user.

Challenge

When trying to access the target website, the user is redirected to a separate verification page that requires them to wait for 5 seconds or check the box next to “Verify you are human.” This method can be more intrusive as it requires the user to perform additional actions to gain access to the site.

Types of verifications using the Challenge page:

Managed challenge (recommended): Cloudflare automatically selects the appropriate verification method based on the request. This helps avoid CAPTCHA and reduces the time users spend solving verifications.
JS-Challenge: Requires no actions from the user, only JavaScript processing in the browser. It usually takes less than five seconds.
Interactive verification: Requires user interaction with the verification page (e.g., pressing a button).

The Challenge can be most easily recognized using DevTools by the following characteristic: upon the first request to the target site, a response code of 403 is returned.

Text CAPTCHA (ImageToText)

This type of CAPTCHA asks users to recognize and enter the text displayed in an image during verification. It can consist of a combination of letters, numbers, whole words, or special characters. Previously, this was the most popular method for checking users against bots, but today it is becoming less common, giving way to more modern and effective solutions.

You can identify the presence of an ImageToText CAPTCHA by the following characteristics:

The CAPTCHA consists of an image and an input field for entering the recognized text. The image can be embedded using the <img> tag with a src attribute pointing to the file containing the CAPTCHA image, while the input field may contain an <input> tag with a type of text.

To search for the <img> element that loads the image, you can use the following JavaScript code in the Console:

document.querySelector('img[src*="captcha"]');

DataDome

Like other similar advanced systems, DataDome employs both server-side and client-side methods to detect bots by analyzing user behavior, geolocation, network data, browser fingerprints, and other parameters using multilayer machine learning algorithms. DataDome can even identify automated browsers (such as Selenium, Puppeteer, Playwright) and may use JavaScript obfuscation to complicate the analysis of its code.

You can determine the presence of DataDome protection on a site by the loading of a JavaScript file from DataDome:

DataDome contains specific cookies (which can be obtained on the page using document.cookie or in the request header Set-Cookie: "datadome=..."), for example:

"datadomeCookie": "datadome=VYUWrgJ9ap4zmXq8Mgbp...64emvUPeON45z"

Tencent Captcha (TenDI)

TenDI Captcha also uses advanced and sophisticated comprehensive methods to verify users, including trajectory analysis, characteristic identification, and other security mechanisms. A real user may not notice the verification on the target site, but if the system suspects the use of automation, a CAPTCHA may be initiated.

Tencent Captcha offers several types of verification:

Slider CAPTCHA: A simple verification where users just move a slider.
Graphical CAPTCHA: Requires sequential clicks on shapes in the image.
Continuous CAPTCHA: The system automatically assesses the risk and returns the verification result via API without requiring responses from the user. This is suitable for an improved user experience.
Audio CAPTCHA: Offers an audio-based verification, where users input the content of the listened audio.
Smart Verification: Intelligently identifies user characteristics, allowing verification only for those who raise suspicion.

You can identify the presence of Tencent verification on a site, for example, by the loading script TCaptcha:

In requests, the URL used is – https://ca.turing.captcha.qcloud.com.

Amazon CAPTCHA and Challenge

CAPTCHA and Challenge from AWS WAF (Amazon Web Service) are two user verification mechanisms to protect websites. Here’s how they differ:

CAPTCHA offers users tasks to complete, such as entering text (less commonly used), moving a slider, selecting objects in an image, or listening to and entering words from audio.
Challenge works in the background by analyzing session parameters and request behaviors (e.g., request frequency, JavaScript usage, mouse behavior, cookies). If the verification is successful, the user continues working on the site. Otherwise, the request may be blocked, or the user may be presented with a CAPTCHA for additional verification. The system may increase the verification level upon detecting signs of automation.

How to Distinguish Between Challenge and CAPTCHA

Challenge: Background verification with no visible interface, but headers and data related to session analysis can be seen in requests.
CAPTCHA: Visible verification elements, such as image selection, as well as specific requests and responses to the CAPTCHA server.

The CAPTCHA code contains the GokuProps Script, as well as links to challenge.js and captcha.js:

So, we’ve covered the main popular types of CAPTCHAs, their general functioning, and methods of identification. Of course, there are many other similar types of CAPTCHAs, but based on the information from this article, you should be able to easily determine their type and continue working with them. Each CAPTCHA is unique and has its own protective methods—from traditional text-based options to modern adaptive systems. The world of technology is always evolving, and it’s important to keep up with the latest changes in protective methods.

We hope this article has been helpful and has clarified various aspects of CAPTCHAs and how to bypass them. We encourage you to experiment with Developer Tools to better understand how these systems work and to use CapMonster Cloud for effective CAPTCHA-solving tasks!

Note: We'd like to remind you that the product is used to automate testing on your own websites and on websites to which you have legal access.