Amazon AWS WAF
and CapMonster Cloud

Captcha solution, site integration, and testing.

Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses Amazon AWS WAF, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate Amazon AWS WAF so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is AWS WAF by Amazon

AWS WAF (Amazon Web Services Web Application Firewall) is a cloud-based web firewall from Amazon that protects sites, APIs, and web applications from attacks and malicious traffic. Simply put, it is a filter that sits in front of your site or API and decides which visitor traffic to allow and which to block.

If Challenge/CAPTCHA is enabled on the site, the visitor may see a separate verification page. They will be asked to complete a task, such as selecting all images from a category, to confirm they are not a bot.

How to solve AWS WAF via CapMonster Cloud

When testing resources protected by AWS WAF, it is important to ensure that the protection works correctly and is integrated properly.

You can manually verify the protection:

Open the page with the form or resource and ensure AWS WAF responds correctly to requests.
Try performing actions that might be restricted by WAF (e.g., massive requests, suspicious headers) — the server should block such requests or return an error.

After successfully passing the check, AWS WAF sets cookies that confirm the user or client has passed verification and trusted traffic is allowed.

For automatic captcha recognition, you can use specialized services, for example, CapMonster Cloud — a tool that accepts captcha parameters, processes them on its servers, and returns ready-made cookies or a token. These can be substituted into the browser to pass the check without user participation.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a task

At this stage, you pass your API key, captcha type, and its parameters. The service returns a unique taskId, which can be used later to get the result.

Sending an API request

The following parameters must be specified in the request to solve AWS WAF:

type - AmazonTask;

websiteURL - address of the main page where the captcha is solved;

challengeScript - link to challenge.js;

The following parameters are taken from window.gokuProps (all are of string type):

websiteKey
context
iv

captchaScript - link to captcha.js (may be absent if you only have a Challenge);

cookieSolution - default is false — in response you will receive "captcha_voucher" and "existing_token". If you require "aws-waf-token" cookies, set the value to true.;

userAgent - Browser User-Agent. Pass only actual UA from Windows OS;

Also, for this task, you need to use your proxies:

proxyType :

http - regular HTTP/HTTPS proxy;
https - try this option if "http" does not work (required for some custom proxies);
socks4 - SOCKS4 proxy;
socks5 - SOCKS5 proxy;

proxyAddress - Proxy IP address IPv4/IPv6;

proxyPort - proxy port;

proxyLogin - proxy server login;

proxyPassword - proxy server password.

Find more details about the parameters and how to gather them automatically before sending a task in the CapMonster Cloud documentation.

Endpoint for sending the task:

https://api.capmonster.cloud/createTask

Request example:

{
  "clientKey": "API_KEY",
  "task": {
    "type": "AmazonTask",
    "websiteURL": "https://example.com/index.html",
    "websiteKey": "h15hX7brbaRTR...Za1_1",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36",
    "captchaScript": "https://234324vgvc23.yejk.captcha-sdk.awswaf.com/234324vgvc23/jsapi.js",
    "cookieSolution": true,
    "proxyType": "http",
    "proxyAddress": "8.8.8.8",
    "proxyPort": 8080,
    "proxyLogin": "proxyLoginHere",
    "proxyPassword": "proxyPasswordHere"
  }
}

Response:

{
  "errorId":0,
  "taskId":407533072
}

Receiving the result

After creating the task, poll the solution status.

Address to receive the result:

https://api.capmonster.cloud/getTaskResult

Request example:

{
  "clientKey":"API_KEY",
  "taskId": 407533072
}

Response:

{
	"errorId":0,
	"status":"ready",
	"solution": {
		"cookies": {
			"aws-waf-token": "10115f5b-ebd8-45c7-851e-cfd4f6a82e3e:EAoAua1QezAhAAAA:dp7sp2rXIRcnJcmpWOC1vIu+yq/A3EbR6b6K7c67P49usNF1f1bt/Af5pNcZ7TKZlW+jIZ7QfNs8zjjqiu8C9XQq50Pmv2DxUlyFtfPZkGwk0d27Ocznk18/IOOa49Rydx+/XkGA7xoGLNaUelzNX34PlyXjoOtL0rzYBxMAQy0D1tn+Q5u97kJBjs5Mytqu9tXPIPCTSn4dfXv5llSkv9pxBEnnhwz6HEdmdJMdfur+YRW1MgCX7i3L2Y0/CNL8kd8CEhTMzwyoXekrzBM="
		},
		"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"
	}
}

Substituting aws-waf-token cookies on the page

The data received from CapMonster Cloud (valid AWS WAF cookies) can be substituted into the browser context or HTTP client. After this, the site perceives the request as verified and allows you to continue working without additional checks or challenge pages.

For automation and testing, it is convenient to use Puppeteer, Selenium, or Playwright — they allow you to:

open a page protected by AWS WAF;
add the received cookies to the browser context;
refresh the page with valid verification;
perform further actions (submit forms, navigate pages, test functionality).

This way, you can verify the correctness of the protection and ensure the site correctly accepts and processes valid AWS WAF cookies.

Amazon AWS WAF recognition using ready-made libraries

CapMonster Cloud provides ready-made libraries for convenient work in Python, JavaScript (Node.js), and C#.

Important: these code examples use cookieSolution=False. If you need to obtain cookies as a result, set cookieSolution=True.

Python

JavaScript

Solution, obtaining parameters, and setting cookies

Example in Node.js for the full cycle of captcha recognition on your web page. Possible approaches: use HTTP requests to get HTML and protection system parameters, send the answer, and process the result. Or using automation tools (e.g., Playwright) — open the page, wait for the check, send parameters via the CapMonster Cloud client, get the result, substitute cookies into the browser (for testing you can use both correct and incorrect data), and see the result.

// npm install playwright @zennolab_com/capmonstercloud-client
// npx playwright install chromium

import { chromium } from "playwright";
import { CapMonsterCloudClientFactory, ClientOptions, AmazonRequest } from "@zennolab_com/capmonstercloud-client";

const API_KEY = "YOUR_API_KEY";
const CAPTCHA_URL = "https://example.com";

// Proxy settings
const PROXY = {
    proxyType: "http",
    proxyAddress: "PROXY_HOST",
    proxyPort: 1234,
    proxyLogin: "PROXY_USER",
    proxyPassword: "PROXY_PASS"
};

(async () => {
    // 1) Open the page via proxy and collect AWS WAF parameters
    const browser = await chromium.launch({
        headless: false,
        proxy: {
            server: `http://${PROXY.proxyAddress}:${PROXY.proxyPort}`,
            username: PROXY.proxyLogin,
            password: PROXY.proxyPassword
        }
    });

    const page = await browser.newPage();
    await page.goto(CAPTCHA_URL, { waitUntil: "networkidle" });

    // wait for challenge and captcha scripts to load
    await page.waitForFunction(() => {
        const scripts = Array.from(document.querySelectorAll("script")).map(s => s.src || "");
        return scripts.some(src => src.includes("challenge")) && scripts.some(src => src.includes("captcha"));
    });

    // extract AWS WAF parameters (key, context, iv, links to scripts)
    const params = await page.evaluate(() => {
        const gokuProps = window.gokuProps || {};
        const scripts = Array.from(document.querySelectorAll("script")).map(s => s.src || "");
        return {
            websiteKey: gokuProps.key || null,
            context: gokuProps.context || null,
            iv: gokuProps.iv || null,
            challengeScript: scripts.find(src => src.includes("challenge")),
            captchaScript: scripts.find(src => src.includes("captcha"))
        };
    });

    await browser.close();

    // 2) Solve AWS WAF via CapMonster Cloud
    const client = CapMonsterCloudClientFactory.Create(new ClientOptions({ clientKey: API_KEY }));

    const req = new AmazonRequest({
        websiteURL: CAPTCHA_URL,
        websiteKey: params.websiteKey,
        challengeScript: params.challengeScript,
        captchaScript: params.captchaScript,
        context: params.context,
        iv: params.iv,
        cookieSolution: true,
        proxy: PROXY
    });

    const solved = await client.Solve(req);
    const wafToken = solved.solution.cookies["aws-waf-token"];

    // 3) Substitute aws-waf-token and clear old ones
    const browser2 = await chromium.launch({
        headless: false,
        proxy: {
            server: `http://${PROXY.proxyAddress}:${PROXY.proxyPort}`,
            username: PROXY.proxyLogin,
            password: PROXY.proxyPassword
        }
    });

    const context2 = await browser2.newContext();

    // cleaning old aws-waf-token for your domain
    const existingCookies = await context2.cookies();
    const filteredCookies = existingCookies.filter(c => !(c.name === "aws-waf-token" && c.domain.endsWith(".your-domain")));
    await context2.clearCookies();
    await context2.addCookies(filteredCookies);

    // setting new aws-waf-token
    await context2.addCookies([{
        name: "aws-waf-token",
        value: wafToken,
        domain: ".your-domain",
        path: "/",
        httpOnly: false,
        secure: true
    }]);

    const page2 = await context2.newPage();
    const response = await page2.goto(CAPTCHA_URL, { waitUntil: "networkidle" });

    console.log("Final page status:", response.status());
    console.log("Final page URL:", page2.url());

    await browser2.close();
})();

There is also an excellent opportunity to test captcha recognition using the CapMonster Cloud browser extension, which allows you to quickly check captcha operation directly on the page and monitor the solution process in real-time without writing code – available for installation in Chrome and Firefox.

How to connect AWS WAF to your site

To confidently navigate captcha operation on your site, understand its verification logic, reconnect or reconfigure it, we recommend studying this section. It describes the protection connection process — this will help you quickly figure out all the nuances.

AWS WAF cannot be installed directly on a site. It works only through AWS resources:

Amazon CloudFront (main and best option) — a CDN through which any site can be protected. Works fast, globally, and suits almost all cases.
Application Load Balancer (ALB) — used for server-side sites, APIs, and containers within AWS. If your backend runs in EC2, ECS, EKS — place WAF on ALB.
API Gateway — protection for REST and WebSocket APIs. Suitable for SPA, mobile apps, and microservices.
AWS AppSync (GraphQL API)
Amazon Cognito (login/registration)
AWS App Runner (container apps)
AWS Amplify Hosting (frontend hosting)
AWS Verified Access (access to internal apps)

Step 1. Create an AWS account (if you don't have one)

Go to: https://portal.aws.amazon.com/billing/signup. Create an account > confirm email and phone.

Important: after creation, enable MFA for the root user and create an admin user via IAM Identity Center.

Step 2. You can use the standard or the new AWS WAF interface:

Go to the AWS console
Open AWS WAF. In the left menu, click Try the new experience (if prompted).

Step 3. Create a protection pack (web ACL)

This is the set of protection rules for your resource.

In the menu on the left, select: Resources & protection packs (Web ACLs)
Click Add protection pack (web ACL).

Step 4. Configure application category:

In the Tell us about your app block:

App category — select Web / API / Both
Traffic source — where the traffic comes from (web, API, or both)

These parameters are needed so AWS can suggest optimal rules.

Step 5. Select resources to protect

Click Add resources
Select what you are connecting:

If your site is on CloudFront > select CloudFront distributions
If your backend is on ALB > select Regional resources
If API > select API Gateway REST API
Check the box on the desired resource > click Add.

Step 6. Select a starting rule set.

AWS will offer:

Recommended for you — the best option for beginners

It includes:

basic protection
rules against SQLi and XSS
IP reputation lists
Bot Control (optional)
rules for web/API

Click Next.

Step 7. Configuration (optional)

On the Customize protection pack (web ACL) screen:

Main parameters:

Default action:
- Allow all except blocked — usually selected
- Block all except allowed — if the site is closed
Default rate limits: Limit on the number of requests (DDoS L7 mitigation)
IP addresses: Whitelists/blacklists
Country specific origins: Traffic restriction by country

Logging

Choose where to write logs:

CloudWatch
S3
Firehose

(S3 + Athena is recommended).

Step 8. Create web ACL

Click: Add protection pack (web ACL)

AWS will create rules and bind them to your resource.

Verification

To ensure protection is working:

Open WAF > select your web ACL
Go to Monitoring
Look at:
- traffic charts
- blocked requests
- sample requests

Additional (optional)

Enable CAPTCHA or Challenge
In any rule > Action > CAPTCHA / Challenge
This reduces bot traffic and protects login and form pages.
Add Managed Rule Groups
In the Rule groups section, you can add:
- AWS Managed
- Bot Control
- Account takeover prevention
- Marketplace rules (F5, Imperva, Fortinet)
Link with Shield Advanced. For protection against DDoS (L3–L7).

Possible errors and debugging

Invalid domain or rule — Challenge not displayed

Check that the AWS WAF WebACL is attached to the correct domain (CloudFront Distribution / ALB / API Gateway), the correct path, and that there are no conflicts between rules.

Page load or check timeout

Sometimes the browser or script does not wait for the AWS WAF response. Increase timeouts in tests and ensure the backend processes requests without delays.

Expired AWS WAF cookies

Outdated _aws_waf_token_… or related cookie tags lead to a repeated Challenge or temporary block.

Overly sensitive rules

Excessively strict Bot Control signatures, CAPTCHA rules, or Rate-based rules may block real users.

Incorrect WebACL configuration

Errors in rule order, priorities, or conditions can lead to false positives and blocks.

Protection resilience checks

After integration, make sure the system really protects the site from automated actions.

Execute a request without AWS WAF cookies. The corresponding rule should trigger depending on the configuration.

Check re-entry with valid cookies. The user should pass without repeated checks if the WAF policy allows traffic and the tags are correct.

Perform load testing (k6/JMeter). The WebACL should stably process a large number of requests without 500/503 errors from the protected resource side.

Check behavior with expired or incorrect cookies. Expectation — repeated Challenge or application of the configured Block/Challenge rule.

Security and optimization tips

Configure WebACL according to the risk level. Use Managed Rules (AWS, AWS Marketplace), AWS Bot Control, and custom rules based on IP reputation, headers, rate limiting, and other conditions.

Configure WebACL according to the risk level. Use Managed Rules (AWS, AWS Marketplace), AWS Bot Control, and custom rules based on IP reputation, headers, rate limiting, and other conditions.

Log WAF events. Enable <a href="https://docs.aws.amazon.com/waf/latest/developerguide/logging.html" target="_blank">AWS WAF Logging (Kinesis Firehose / S3 / CloudWatch Logs)</a> to analyze false positives and optimize rules.

Log WAF events. Enable AWS WAF Logging (Kinesis Firehose / S3 / CloudWatch Logs) to analyze false positives and optimize rules.

Add links to <b>Privacy Policy</b> and <b>Terms of Use</b>. This is important for transparency and compliance with security requirements and user expectations.

Add links to Privacy Policy and Terms of Use. This is important for transparency and compliance with security requirements and user expectations.

Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of Amazon AWS WAF, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify Amazon AWS WAF and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Helpful links

AWS WAF Documentation →

CapMonster Cloud Documentation (working with AWS WAF) →

Overview of web resource protection using AWS WAF →

The CapMonster Cloud browser extension is available for Chrome and Firefox. Full installation and usage instructions are available here.

Amazon AWS WAF and CapMonster Cloud

How to solve AWS WAF via CapMonster Cloud

Additional (optional)

Amazon AWS WAF
and CapMonster Cloud