What exactly do I submit?

A `createTask` POST with `clientKey` (your API key) and a `task` object containing `type` (AntiF5Task or AntiF5TaskProxyLess) plus `websiteURL`. For AntiF5Task add `proxyType`, `proxyAddress`, `proxyPort`, plus optional `proxyLogin` / `proxyPassword` if your proxy needs auth.

When `getTaskResult` returns `status: "ready"`, the `solution` object contains the `cookies` array (full F5 trust bundle), the `userAgent` string used during solve, `ipBound: true`, the `domain`, and diagnostic counters `tsCount` + `mutatedCount`.

How do I actually use the cookies?

Set every returned cookie on your HTTP client (or browser session via `addCookies`) keyed by `name`/`domain`/`path`, use the returned `userAgent` for every subsequent request, and route through the same proxy you submitted with. The next request to the protected URL will pass the F5 WAF and reach the real application.

Why the TS cookie short TTL?

F5 commonly sets `Max-Age=30` on TS cookies. Replay through the same IP + UA promptly after the solve completes. For long-running flows, re-solve when cookies near expiry — the solve is fast (~5 s).

Does this solve F5 Distributed Cloud Bot Defense (Shape)?

No. That's a separate product with VM-bytecode signal collection and ML scoring. This solver targets classic F5 BIG-IP Advanced WAF only (TS / TSPD / bobcmn cookies).

The cookies came back but the replay still gets the challenge — why?

Almost always a proxy IP mismatch. F5 enforces IP binding strictly — if you replay through a different egress IP than the one Capzy used for solve, F5 returns the challenge again. Use a sticky-session proxy (one egress IP per task).

F5 BIG-IP Advanced WAF Solver — TS/TSPD Cookies

Before you submit — these must be correct

If any of these are wrong, your token may be accepted by our solver but rejected or scored poorly by the target site. We can’t detect these mismatches for you.

F5 TS cookies are short-lived (Max-Age=30s on most deployments). Replay promptly. If your flow needs longer sessions, re-solve when cookies near expiry.
Cookies are IP + UA bound. The customer client must replay through the same proxy address + port and use the returned userAgent verbatim.

What is F5 BIG-IP Advanced WAF?

F5 BIG-IP Advanced WAF (formerly ASM) protects enterprise and government sites — banking portals, insurance, healthcare logins, government services — using an inline JavaScript challenge plus cookie-state validation. On the first request the server sets partial `TS<hash>` / `TSPD_*` cookies and serves an obfuscated `window["bobcmn"]` script. The script decodes a custom-encoded payload, runs the proof computation, and writes the verified token back to the cookie. Subsequent requests with the verified cookie pass the WAF. Not to be confused with F5 Distributed Cloud Bot Defense (ex-Shape Security) — that's a separate F5 product with VM-bytecode signal collection. This solver targets classic F5 BIG-IP Advanced WAF only.

How It Works

Send Task

POST your AntiF5Task with the target URL and sitekey to our API. We'll queue it instantly.

We Solve

Capzy's proprietary solver captures the bobcmn challenge HTML once via your proxy, route-intercepts a Patchright browser to replay it locally, lets the bobcmn computation run, and harvests the TS / TSPD / f5avr cookies the script issued. Returns the cookie bundle plus the matching User-Agent. AntiF5Task uses your own proxy; AntiF5TaskProxyLess routes through residential by default.

Get Token

Poll getTaskResult — when status is 'ready', the solution contains the token to inject into the target page.

Quick Integration

solve.py

import requests, time

API = "https://api.capzy.ai"
KEY = "capzy_your_key_here"

# Step 1: Create task
task = requests.post(f"{API}/createTask", json={
    "clientKey": KEY,
    "task": {
        "type": "AntiF5Task",
        "proxyPort": "10001",
        "proxyType": "http",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
        "proxyLogin": "your-proxy-username",
        "websiteURL": "https://onlineservices.example.gov/login",
        "proxyAddress": "gw.your-proxy-provider.com",
        "proxyPassword": "your-proxy-password"
    }
}).json()

task_id = task["taskId"]
print(f"Task created: {task_id}")

# Step 2: Poll for result
while True:
    result = requests.post(f"{API}/getTaskResult", json={
        "clientKey": KEY,
        "taskId": task_id
    }).json()

    if result["status"] == "ready":
        print("Solved!", result["solution"])
        break
    elif result["status"] == "failed":
        print("Failed:", result.get("errorDescription"))
        break

    time.sleep(1)

# Step 3: Use the result — set every cookie on a session jar
sol = result["solution"]
session = requests.Session()
for c in sol["cookies"]:
    session.cookies.set(c["name"], c["value"], domain=c.get("domain"), path=c.get("path", "/"))
session.headers["User-Agent"] = sol.get("userAgent", "")
# IMPORTANT: route through the SAME proxy you supplied at solve time
resp = session.get("https://target.example.com/", proxies={
    "http":  "http://USER:PASS@PROXY_HOST:PORT",
    "https": "http://USER:PASS@PROXY_HOST:PORT",
})
print(resp.status_code, len(resp.text), "bytes")

task parameters.

Proxy fields below are required for this captcha — userAgent must match the one you’ll use when submitting the resulting token.

fieldtyperequireddescription

typetypestringreqyesEither `AntiF5TaskProxyLess` (Capzy supplies the residential IP) or `AntiF5Task` (you supply the proxy).

websiteURLtypestringreqyesFull URL of the F5 BIG-IP-protected page. Include the path and query string the customer-facing browser would use (e.g. `https://onlineservices.example.gov/login?return=/x`).

userAgenttypestringreqnoOverride the User-Agent string used during solve. Defaults to a modern Chrome desktop UA. If you override, you MUST replay through your client using the same UA — F5 binds the trust cookies to the (IP, UA) pair.

proxyTypetypestringreqno`http`, `https`, or `socks5`.

proxyAddresstypestringreqyesProxy host (IP or hostname). For `AntiF5Task` this is required — F5 cookies are IP-bound.

proxyPorttypeintegerreqyesProxy port. For `AntiF5Task` this is required.

proxyLogintypestringreqnoProxy username (if your proxy requires auth).

proxyPasswordtypestringreqnoProxy password (if your proxy requires auth).

solution response.

fieldtypedescription

cookiestypearrayCookie objects `{name, value, domain, path}`. Typical bundle: one or more `TS<8-hex-hash>` cookies (the F5 verified trust tokens), a `TSPD_*` cookie (policy descriptor), and an `f5avr…_session_` cookie (session id). Set every returned cookie on your HTTP client — partial sets fail on hardened F5 deployments.

userAgenttypestringExact User-Agent the browser used during solve. F5 correlates the UA with the TLS fingerprint that produced the cookies — reuse verbatim on replay or the WAF will re-challenge.

ipBoundtypebooleanAlways `true`. F5 trust cookies are bound to the egress IP that solved the challenge. Replay through the same proxy you submitted with.

domaintypestringHostname the cookies were validated against (host of `websiteURL`). Cookies are scoped to this domain.

tsCounttypeintegerNumber of F5 cookies returned. Diagnostic — most deployments return 3-4.

mutatedCounttypeintegerHow many TS cookies the bobcmn script rewrote during solve. Should be >= 1 on a successful solve. Diagnostic only.

Example response

Full getTaskResult response shape. The fields in the table above describe what's inside solution — the outer envelope (errorId, status) is identical for every captcha type.

{
  "errorId": 0,
  "status": "ready",
  "solution": {
    "domain": "onlineservices.example.gov",
    "cookies": [
      {
        "name": "TSaa03129d029",
        "path": "/",
        "value": "<long F5 verified TS cookie>",
        "domain": "onlineservices.example.gov"
      },
      {
        "name": "TS351d4aa7027",
        "path": "/",
        "value": "<F5 TS cookie>",
        "domain": "onlineservices.example.gov"
      },
      {
        "name": "f5avraaaaaaaaaaaaaaaa_session_",
        "path": "/",
        "value": "<F5 session id>",
        "domain": "onlineservices.example.gov"
      },
      {
        "name": "TSaa03129d075",
        "path": "/",
        "value": "<F5 verification cookie>",
        "domain": "onlineservices.example.gov"
      }
    ],
    "ipBound": true,
    "tsCount": 4,
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
    "mutatedCount": 1
  }
}

Error response

Failures use the same envelope with errorId: 1 plus errorCode + errorDescription. See the error-code reference for the full list.

{
  "errorId": 1,
  "errorCode": "ERROR_CAPTCHA_UNSOLVABLE",
  "errorDescription": "Solver gave up — automatically refunded."
}

Pending response

While the solver is still working, getTaskResult returns status: "processing". Poll every 1–2 seconds until ready or failed.

{
  "errorId": 0,
  "status": "processing"
}

Features

Solves the F5 BIG-IP bobcmn JavaScript challenge end-to-end

Returns the full trust-cookie bundle: TS<hash>, TSPD_*, f5avr…_session_

Median solve time ~5 seconds end-to-end

User-Agent + cookie pairing returned for direct session reuse

Routed through residential by default (DC IPs frequently flagged)

Cookies are IP + UA bound — full replay payload returned

Required Task Type

AntiF5Task

Frequently Asked Questions

start solving f5 big-ip advanced waf.

$0.10 in free credits — no card. ~250 free solves to test before you spend.

get free api key read docs

F5 BIG-IP Advanced WAF Solver, solved in 5.0s.