> Fwiw, Cloudflare does do a multivariate confidence check which is why it has multiple tiers: no captcha, a one-click captcha, the annoying puzzle captcha once, the annoying puzzle captcha six times in a row.

That's not correct, Cloudflare challenge pages / Turnstile will never show you a puzzle.

That User-Agent won't trigger the block page you were experiencing.

No clue about the issues with Google, perhaps some feature detection going on?

Nope, it's Google trying to ban "embedded browser frameworks" - see https://github.com/qutebrowser/qutebrowser/issues/5182 for details.

I used straight firefox and was still banned just fine. It didn't start in 2019 either. Chrome is their cash cow, if you don't use it, you're a liability.

> Cloudflare lets their customers write their own WAF regex rules right?

No, but customers can request a custom WAF rule to be written by Cloudflare engineers specifically for their domain.

Is the XSS exploitable? Can you insert data in the phone field via a form submit or URL param? Seems like the attack requires exceedingly unlikely user interaction.

Did you contact the Portuguese National Data Protection Agency? If you can leak phone numbers, they should be informed.

Cool findings :)

Thank you :)

Regarding the XSS attack, I have the answer here: https://iluxonchik.github.io/chave-movel-digital-xss/#commen...

I did not, thank you for suggesting, I will do it now.