// mirage

WAF bypass & antibot

Pro tier

Look like real Chrome to every WAF and anti-bot system — TLS JA3/JA4, HTTP/2 SETTINGS, navigator, WebGL, canvas and fonts all match a coherent browser profile. Challenge scripts execute natively and set the bypass cookie.

Download — free →the whole window →
// Capabilities

What it does

Chrome 134 TLS fingerprint

The proxy's upstream connector reproduces Chrome's exact ClientHello — cipher order, X25519MLKEM768 post-quantum key exchange, GREASE, extension permutation. JA3/JA4 hashes match real Chrome, bypassing Cloudflare, Akamai, Imperva and DataDome TLS fingerprinting.

HTTP/2 fingerprint matching

Akamai-format HTTP/2 fingerprint string with Chrome's exact SETTINGS, WINDOW_UPDATE and pseudo-header order (m,a,s,p). The scanner and crawler produce the same H2 fingerprint as the browser, so WAFs can't split traffic by protocol layer.

navigator & window spoofing

webdriver=false, 5 Chrome PDF plugins, Client Hints (Sec-CH-UA with getHighEntropyValues), hardwareConcurrency, deviceMemory, 130+ native functions return [native code]. Automation artifacts (cdc_, __selenium, __playwright, _phantom) are deleted from window.

WebGL, canvas & fonts

WebGL renderer strings match the OS (ANGLE Apple Metal on macOS, NVIDIA on Windows), canvas noise is consistent per-profile, and font enumeration returns OS-correct lists (Helvetica Neue on macOS, Segoe UI on Windows). Cross-layer validation catches mismatches anti-bot systems flag.

anti-bot challenge execution

DataDome, Akamai and PerimeterX challenge scripts execute in the Boa JS engine with full Chrome 134 spoofing. Cookies set by challenge scripts flow into every subsequent sub-resource request, so the bypass sticks for the whole session.

WAF detection & FP suppression

35 WAF signatures (Cloudflare, Imperva, Akamai, DataDome, PerimeterX, Sucuri, F5, Fortinet, Wallarm, Radware) detected via Aho-Corasick. The scanner suppresses false positives on WAF-blocked responses and backs off after consecutive blocks — no more noise from WAF tarpits.

WAF evasion engine

Encoding mutations (double/triple URL, overlong UTF-8, mixed-case hex), Unicode tricks (enclosed alphanumerics that NFKC-normalize, homoglyphs, zero-width chars), header bypasses (X-Forwarded-For, X-Original-URL, True-Client-IP), chunked transfer abuse, protocol quirks and content-type confusion — 8 categories of payload mutation.

captcha solving & shadow worker

Detects DataDome, GeeTest, hCaptcha, reCAPTCHA and Turnstile. Shadow worker runs fetch() inside a Web Worker outside DataDome's hooks, persona distribution spreads requests across browser tabs with separate cookie contexts, and a 3-phase shadow session warms trust before high-speed extraction.

// Detail

Coherent, not bolted on

Burp and Caido have no native TLS fingerprint matching — you need extensions or a separate proxy. Hugin builds the Chrome 134 profile into the MITM engine itself: the proxy, the scanner, the crawler and the browser all share one coherent fingerprint across TLS, HTTP/2, headers and JavaScript. A WAF that fingerprints any layer sees the same Chrome on every layer.

TLS JA3/JA4

Chrome 134 cipher list, X25519MLKEM768 post-quantum hybrid key exchange, GREASE per-connection random, extension permutation (Chrome 110+ randomizes order to defeat static JA3). OCSP stapling, SCT, ALPN h2+http/1.1.

HTTP/2 Akamai fingerprint

HEADER_TABLE_SIZE=65536, ENABLE_PUSH=false, MAX_CONCURRENT_STREAMS=1000, INITIAL_WINDOW_SIZE=6291456, MAX_HEADER_LIST_SIZE=262144, ENABLE_CONNECT_PROTOCOL=true, NO_RFC7540_PRIORITIES=true. WINDOW_UPDATE=15663105. Pseudo-header order m,a,s,p.

Anti-detection hardening

navigator.webdriver=false (not undefined), Object.isFrozen(navigator.languages)=true, Function.prototype.toString returns [native code] for 130+ functions, cdc_/__selenium/__driver/__playwright/_phantom deleted, webdriver moved to prototype so getOwnPropertyDescriptor returns undefined.

WAF signatures

35 signatures via Aho-Corasick: cloudflare, cf-ray, aws waf, awselb, imperva, incapsula, sucuri, mod_security, fortigate, barracuda, f5 big-ip, citrix netscaler, perimeterx, px-captcha, datadome, shape security, reblaze, wallarm, radware, appwall, fastly, stackpath. Bot-challenge interstitial detection at any status including 200.

Encoding mutations

Double/triple URL encoding, IIS %u encoding, mixed-case hex, overlong UTF-8, null-byte injection, HTML entities, hex string — each payload runs through the chain before sending.

Unicode bypass

Enclosed alphanumerics (①②⑦.⓪.⓪.① for 127.0.0.1) that NFKC-normalize to ASCII on Python/Ruby backends but bypass WAF regex. Cyrillic homoglyphs (а/е/о/р/с/х/у/i), zero-width chars (ZWSP/ZWNJ/ZWJ/BOM), RTL override, IDN homograph attacks.

Header bypasses

14 IP-spoofing headers (X-Forwarded-For, X-Real-IP, CF-Connecting-IP, True-Client-IP, Fastly-Client-IP) × 10 values. URL rewriting (X-Original-URL, X-Rewrite-URL) × 12 path variants. Host manipulation, method override (16 methods incl. PROPFIND/MKCOL), cache poisoning, protocol downgrade.

Shadow worker & personas

Web Worker fetch() outside DataDome's window.fetch hooks — 3 workers at 16 rps = ~49 req/s. Persona distribution across browser tabs with separate cookie contexts. 3-phase shadow session: warm trust → harvest datadome cookie → high-speed extraction.