绕过 PerimeterX, 按住验证码也一并解决。

无需浏览器即可绕过 PerimeterX(现称 HUMAN)。Takion 通过一个 POST 返回有效的 _px3 / _px2 cookie(以及其他相关的 cookie),并通过“按住不放”的 pxhc 验证码,让你的请求顺利通过;如果你访问的是移动应用,则返回 x-px-authorization 请求头。

最后更新 · 覆盖能力已针对一个实时的 PerimeterX / HUMAN 目标测试。

被 PerimeterX 拦住了?

PerimeterX(现称 HUMAN)会拒绝非浏览器流量,除非你的请求带有一组有效的 _px3 / _px2 cookie,并在出现“按住不放”(pxhc) 验证码时将其通过。在移动 SDK 目标上,同样的信任凭证改由 x-px-authorization 请求头承载。Takion 会生成它们,并通过一个 POST 返回,无需无头浏览器,你这边也无需模拟任何手势,你的请求即可通过。一个密钥覆盖所有已支持的防护墙;数据请求时自备代理即可。

试用需要审核

PerimeterX 绕过可能被滥用于欺诈,因此试用不会自动开放。如果你想评估,请先联系我们并说明你的使用场景。

PerimeterX 的工作原理

PerimeterX(现称 HUMAN Security)会基于设备指纹和对你行为的深度遥测分析来计算风险分,这些数据是在“按住不放”验证码或普通页面交互过程中,通过一系列加密提交收集而来的。它的挑战不断轮换,这正是手动跟进极其困难的原因。

Takion 会生成并向 PerimeterX 提交将你的会话列入白名单所需的全部数据,在出现“按住不放”验证码时将其通过,并返回处于已通过状态的 _px3 / _px2 cookie 以及其他所需令牌。一个 POST,无需浏览器,你这边也无需模拟任何手势。返回的 cookie 拿来即可重放。

使用 PerimeterX SDK 的移动应用原理相同:令牌会以 x-px-* 请求头的形式返回,而非 cookie。模式一致,只是取值和计算方式不同。两者我们都支持。

  • Takion 覆盖的挑战
  • 按住不放验证码(pxhc)
  • _px3 / _px2 风险 cookie
  • x-px-authorization 移动端挑战

一次调用返回什么

向 PerimeterX 端点发送一个 POST,即可返回防护墙所需的确切令牌,可直接重放到你的目标站点。

_px3 / _px2 (and any other related one)

已通过状态下的主风险 cookie

x-px-authorization

移动 SDK 目标所需的请求头集合

curl -X POST https://px{web/hc/mobile}.takionapi.tech/generate \
  -H "Authorization: Bearer $TAKION_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "url": "<the url of the page you aim to visit>", "proxy": "<your session proxy>", "extra": "<challenge or website details>" }'

阅读 PerimeterX / HUMAN 文档同一个密钥,通吃每一堵墙。同一种 JSON 结构,适配每一个厂商。

How the PerimeterX bypass works, end to end

No browser, no gesture to fake. Five moves from blocked to data.

  1. 1

    Point Takion at the target

    Grab the PerimeterX app id (_pxAppId) and the page URL of the site you are hitting. That is all Takion needs to know which wall it is minting for.

  2. 2

    You POST it to Takion

    Send the app id, page URL, your session proxy, and the user-agent you will replay to the web endpoint. One call, no SDK to embed.

  3. 3

    We mint the session server-side

    Takion runs the encrypted collector posts PerimeterX expects, builds the device signals its risk engine scores, and clears the press-and-hold captcha if the site serves one. No browser, no page render.

  4. 4

    You get _px3 back, passed

    The response carries the _px3 cookie in its passed state plus an x-px-session-id you can feed to the optional /tls helper to keep the session hot.

  5. 5

    You replay and you are in

    Attach _px3 to your own request, send it through the same proxy with the same user-agent, and PerimeterX sees a trusted session and serves the data.

The PerimeterX surfaces, decoded

One vendor, three shapes. Takion covers each on its own endpoint:

_px3 / _px2
the primary risk cookies PerimeterX sets on the web, returned in their passed state
Press-and-hold (pxhc)
the "press & hold to confirm you are human" block page, solved async and resolved back to a _px3
x-px-authorization
the header the iOS / Android SDK carries the same trust in, with x-px-original-token and x-px-context on some apps
x-px-session-id
Takion's session id, feed it to /tls to send more session-bound requests without re-minting
_pxAppId
the target's PerimeterX app id you hand Takion so it mints against the right deployment

Why request-based beats a headless browser here

The browser way to beat PerimeterX is a fleet of headless instances that render the page, fake a mouse path, and hold down the press-and-hold button for the right duration while the SDK streams encrypted telemetry back to *.perimeterx.net. It works until PerimeterX rotates the challenge, which it does constantly, and then every one of your instances is patching in real time.

Takion skips the browser entirely. We reverse the collector protocol and generate the payload directly, so a web solve is one HTTP round trip and a mobile solve is a header set you merge into your request. No emulator farm, no gesture timing to tune, no container to babysit when the challenge changes overnight. You send JSON, you get the token.

What flags a PerimeterX session

A valid _px3 is necessary, not sufficient. PerimeterX rescoring watches for these the moment you replay:

  • IP mismatch. The cookie is bound to the IP it was minted under. Solve behind the proxy you will actually send from.
  • User-agent drift. PerimeterX ties the session to the user-agent it was built against. Replay the exact one Takion was given, do not swap it.
  • fast_mode on a hard target. The quick solve trades a slightly weaker PX score for speed. On aggressive deployments, drop it and let the full solve run.
  • Cookie reuse across sessions. One _px3 is one session on one IP. Rotate the IP or burn the session, and re-mint.
  • Bad-reputation proxies. Flagged datacenter ranges score poorly before any challenge. Clean residential or ISP proxies clear the reputation gate first.

The one rule that kills most 403s

Mint under the same proxy and user-agent you replay from, and send the token Takion hands back verbatim. PerimeterX's whole model is consistency scoring across the session. Match the fingerprint it trusted and you stay cleared.

部分使用 PerimeterX 的网站

PerimeterX / HUMAN 守护着这些网站。Takion 在每一个上都能通过,所以绕过 zillow 和绕过任何其他防护墙一样,都是同一次 POST。

PerimeterX 绕过常见问题

可以。Takion 会解决“按住不放”验证码,并连同有效的 _px3 / _px2 cookie 一起返回 pxhc 令牌,因此你无需自己渲染按钮或模拟手势。
支持。我们支持并解决 init(普通网页的 px 生成)。
支持,只需联系我们将你的应用/网站加入白名单即可。

所有其他防护墙

今天就上线你的 PerimeterX 绕过方案。

免费试用,之后一个密钥通吃每一堵墙。一小时内完成首次调用。