Web Applications Hacking

How to exploit & bypass CAPTCHA?

We live in a world where we need to prove to machines that we are humans. Pathetic! But before we take revenge from these puny machines, lets learn how CAPTCHAs work.

How CAPTCHA works?

First of all the full form of CAPTCHA is “Completely Automated Public Turing test to tell Computers and Humans Apart“. Why would you give such a long name to a program? Like just call it Jeff or something.
Anyways, a classic CAPTCHA looks like this

captcha bypass

The user is presented with some randomly generated words or characters which need to be submitted to the web app. If the value entered by the user matches the value generated by the web app, the user is allowed to do whatever he was trying to do. CAPTCHAs are mostly placed in forms to stop spammers, bots & brute forcing attempts.

Most of the CAPTCHAs you are going to encounter in the wild will be of following nature:

  1. The ones which ask you a simple maths question
  2. The ones that ask you to copy paste some text
  3. The ones which ask you enter some randomly generated characters
  4. The ones which ask you to select images or something like that

How to bypass CAPTCHA?

First of all, why would someone use maths questions and copy paste thing? Yes it is easy to bypass. Most of the times you will find this type of CAPTCHA on small or medium scale websites. But believe me it stops most of the spammers because most of the times their bots are automated and ain’t nobody got time for tweaking their bot for every website. But if its a target for a spammer, he will do it and that’s why if you are testing a website and find this kind of CAPTCHAs, report it.

Here’s an example of a script that can solve a maths question

Here comes the part you are here for, the CAPTCHAs which ask you to enter characters.
Well the first thing you should do is to check the source to see how the CAPTCHA is generated. If you see something like the following, its an instant win!


CAPTCHA’s value is included in the URL as a parameter value, just grab it and submit it.
But what if you encounter this?


No worries! Sometimes the value will be encoded like this one which is encoded in base64. Just decode it and submit it.
Here’s another one


Here the value is encrypted in MD5 and you can’t just “decode” it as its a one way encryption. Your best bet is to write a script that extracts the hash and then tries to do a hash lookup with some online service. Check out my Hash-Buster 😉 If the hash gets resolved just submit it otherwise just reload the page and try again.

Okay, here’s another one


I won’t solve it for you, let me know in the comments how to do this one.

Apart from the CAPTCHA image’s url, check if there’s some JavaScript interacting with the CAPTCHA and try to understand how it works & try to bypass it.
Yeah one more thing, you can refresh the CAPTCHA again and again to see if its truly random. If the CAPTCHA is being submitted through a HTTP request, you can try to remove the CAPTCHA parameter to see how the server responds to it.
That’s all for bypassing. Now lets talk about a scenario where I exploited a CAPTCHA vulnerability to cause a powerful DDOS attack.

How to exploit CAPTCHA?

About a month ago I found this while testing a website:

The characters present in the CAPTCHA image aren’t being exposed in here but take a look at the url of the image


As you can see, there are 3 parameters

  • width: width of the image to be generated
  • height: height of the image to be generated
  • chars: numbers of characters to be generated

Without wasting any more time I opened the url in a new tab and changed the value of width parameter. Guess what? It generated a wider image! Yay!
To exploit this behavior I wrote a script to request the following URL in lots of threads


and the website went down in less than a minute because the server had to generate a 2000×1200 image with 9999 random characters with rendered noise in it and its a lot of work which caused the server to crash.
I wish I had more stories about CAPTCHA bypassing & exploitation but I have not :’)
See ya!

Also Read: Full Path Disclosure Attack – Explained Tutorial

About the author


I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.


Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.