Reese84 Dynamic

Reese is an advanced bot detection and protection system used by Imperva / Incapsula. Websites protected by Reese dynamic display a "Pardon Our Interruption" page to visitors. To gain access to the protected content, clients must solve a JavaScript challenge and submit the correct payload.

Challenge Flow Overview

The Reese challenge follows this sequence:

Initial Request: Client requests a protected page
Challenge Page: Server returns a challenge page with a script reference
PoW Request (if required): Client retrieves the Proof of Work value
Payload Generation: Client uses our API to generate the correct payload
Payload Submission: Client submits the payload to the challenge endpoint
Access Granted: Upon verification, client can access the protected content

Implementation Guide

Step 1: Initial Request & Challenge Detection

When you make a request to a protected resource, you'll receive a "Pardon Our Interruption" page instead of the expected content:

GET / HTTP/2
Chrome: Headers

The response will contain HTML with a script tag that includes essential parameters:

<script>
  if (!isSpa) {
    var scriptElement = document.createElement('script');
    scriptElement.type = "text/javascript";
    scriptElement.src = "/onalbaine-legeance-what-come-Womany-Malcome-to-o/14167535692918208311?s=xcUvM9nI";
    scriptElement.async = true;
    scriptElement.defer = true;
    document.head.appendChild(scriptElement);
  }
</script>

Step 2: Extract Script URL

Extract the script path and full URL from the challenge page using regex:

// Extract the script path
const pathRegex = /<script[\s\S]*?src\s*=\s*"(\/[^"?]+)(?:\?([^"]+))?"[\s\S]*?<\/script>/i;
const matches = pathRegex.exec(htmlContent);

if (matches && matches.length >= 2) {
  const scriptPath = matches[1]; // e.g., "/onalbaine-legeance-what-come-Womany-Malcome-to-o/14167535692918208311"
  const queryParams = matches[2] || ""; // e.g., "s=xcUvM9nI"
  
  const scriptUrl = `https://www.example.com${scriptPath}${queryParams ? '?' + queryParams : ''}`;
  // Result: "https://www.example.com/onalbaine-legeance-what-come-Womany-Malcome-to-o/14167535692918208311?s=xcUvM9nI"
}

Step 3: Retrieve Proof of Work (If Required)

Some sites require an additional Proof of Work (PoW) challenge. To determine if a site requires PoW, observe the network requests in your browser's developer tools. If you see a POST request to the Reese84 script endpoint with the body {"f":"gpc"}, the site uses PoW.

If PoW is required, make a POST request to the script path with ?d=yourdomain.com appended:

POST /onalbaine-legeance-what-come-Womany-Malcome-to-o/14167535692918208311?d=www.example.com HTTP/2
Chrome: Headers
Content-Type: text/plain; charset=utf-8

{"f":"gpc"}

The server will respond with a PoW string value:

"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Save this value for the next step.

Step 4: Generate the Payload

Use our API to generate the Reese payload. Our service handles all the complex aspects of creating a properly formatted payload that will pass Incapsula's verification.

Our API will return the properly formatted payload string needed for the next step.

Step 5: Submit the Payload

Post the generated payload to the challenge endpoint:

POST /onalbaine-legeance-what-come-Womany-Malcome-to-o/14167535692918208311?d=www.example.com HTTP/2
Chrome: Headers

[YOUR_GENERATED_PAYLOAD]

The server will respond with a token in JSON format:

{
  "token": "3:2wlemniq+CXN97167oNjyw==:EraPjamziyuz1z+y39IgCL7kGmQUj5ld8/s0lTnEtTyBBRpPH9xQvUynVmaj71KMkuqqU8qQkr61D6KI89fI529NeoOdI+yiiM0Pob4t/yT1P8sNLNxICsnsYl3GWOVl8cHRSVITO69rmzmBVXqPKb7jQBP821axacX4loeamBKiKtrzJDW0t64/ABgSnmrEu5KrRPXcRBvbpPNY1LortqTRSuol2xgbTxXQOM2yTtAFQosGR8BJHiZx0/cNhlMLTeFn0U5OreWsPWgeT1ySeaM4hvxa80sO+eKCgpDpnoh6WUIq/RGyeoT4tyiKtI+LghDNC/KJVLFE1OpmvPg/Brr6S13ld0zFJDUd9cAJjCJd3xN4+pcDVyJAO37QWgbPOB722vNj+kXzsrhj0Te1Wy8BROcnIme87k4MiV2E3mLA28oYQumiR1o9rOI8WvHfnnLuKtVZ+c39RokblFF7AbYr+L/6ve8eoINzuF4a09fuCPNHQ9uMS3v250TpkW1PRBsNVGYCMX/09yWUWxul8w==:9m6vPAYT5ejoAXhWTNnpAkPCZPdltpDQUzsxzB47l+Y=",
  "renewInSec": 896,
  "cookieDomain": "www.example.com"
}

Step 6: Store the Token & Access Protected Content

Save the token as a cookie named reese84 with the domain from the response. Now make your request to the previously protected resource:

GET / HTTP/2
Chrome: Headers
Cookie: reese84=3:2wlemniq+CXN97167oNjyw==:EraPjamziyuz1z+y39IgCL7kGmQUj5ld8/s0lTnEtTyBBRpPH9xQvUynVmaj71KMkuqqU8qQkr61D6KI89fI529NeoOdI+yiiM0Pob4t/yT1P8sNLNxICsnsYl3GWOVl8cHRSVITO69rmzmBVXqPKb7jQBP821axacX4loeamBKiKtrzJDW0t64/ABgSnmrEu5KrRPXcRBvbpPNY1LortqTRSuol2xgbTxXQOM2yTtAFQosGR8BJHiZx0/cNhlMLTeFn0U5OreWsPWgeT1ySeaM4hvxa80sO+eKCgpDpnoh6WUIq/RGyeoT4tyiKtI+LghDNC/KJVLFE1OpmvPg/Brr6S13ld0zFJDUd9cAJjCJd3xN4+pcDVyJAO37QWgbPOB722vNj+kXzsrhj0Te1Wy8BROcnIme87k4MiV2E3mLA28oYQumiR1o9rOI8WvHfnnLuKtVZ+c39RokblFF7AbYr+L/6ve8eoINzuF4a09fuCPNHQ9uMS3v250TpkW1PRBsNVGYCMX/09yWUWxul8w==:9m6vPAYT5ejoAXhWTNnpAkPCZPdltpDQUzsxzB47l+Y=

Implementation Best Practices

Preserve Headers: Maintain consistent headers and header-order between requests
Token Renewal: The token has an expiration time (renewInSec). Consider implementing a renewal mechanism

API Integration Notes

Our API simplifies the complex process of generating valid Reese payloads.

For detailed API specifications, endpoint documentation, and usage examples, please refer to our API Reference Documentation.

PreviousReese84 NextIncapsula Captcha Block

Last updated 11 days ago