We live in a world where we need to prove to machines that we are humans. Pathetic! But before we take revenge from these puny machines, lets learn how CAPTCHAs work.
How CAPTCHA works?
First of all the full form of CAPTCHA is “Completely Automated Public Turing test to tell Computers and Humans Apart“. Why would you give such a long name to a program? Like just call it Jeff or something.
Anyways, a classic CAPTCHA looks like this
The user is presented with some randomly generated words or characters which need to be submitted to the web app. If the value entered by the user matches the value generated by the web app, the user is allowed to do whatever he was trying to do. CAPTCHAs are mostly placed in forms to stop spammers, bots & brute forcing attempts.
Most of the CAPTCHAs you are going to encounter in the wild will be of following nature:
- The ones which ask you a simple maths question
- The ones that ask you to copy paste some text
- The ones which ask you enter some randomly generated characters
- The ones which ask you to select images or something like that
How to bypass CAPTCHA?
First of all, why would someone use maths questions and copy paste thing? Yes it is easy to bypass. Most of the times you will find this type of CAPTCHA on small or medium scale websites. But believe me it stops most of the spammers because most of the times their bots are automated and ain’t nobody got time for tweaking their bot for every website. But if its a target for a spammer, he will do it and that’s why if you are testing a website and find this kind of CAPTCHAs, report it.
Here’s an example of a script that can solve a maths question
Here comes the part you are here for, the CAPTCHAs which ask you to enter characters.
Well the first thing you should do is to check the source to see how the CAPTCHA is generated. If you see something like the following, its an instant win!
CAPTCHA’s value is included in the URL as a parameter value, just grab it and submit it.
But what if you encounter this?
No worries! Sometimes the value will be encoded like this one which is encoded in base64. Just decode it and submit it.
Here’s another one
Here the value is encrypted in MD5 and you can’t just “decode” it as its a one way encryption. Your best bet is to write a script that extracts the hash and then tries to do a hash lookup with some online service. Check out my Hash-Buster 😉 If the hash gets resolved just submit it otherwise just reload the page and try again.
Okay, here’s another one
I won’t solve it for you, let me know in the comments how to do this one.
Yeah one more thing, you can refresh the CAPTCHA again and again to see if its truly random. If the CAPTCHA is being submitted through a HTTP request, you can try to remove the CAPTCHA parameter to see how the server responds to it.
That’s all for bypassing. Now lets talk about a scenario where I exploited a CAPTCHA vulnerability to cause a powerful DDOS attack.
How to exploit CAPTCHA?
About a month ago I found this while testing a website:
The characters present in the CAPTCHA image aren’t being exposed in here but take a look at the url of the image
As you can see, there are 3 parameters
- width: width of the image to be generated
- height: height of the image to be generated
- chars: numbers of characters to be generated
Without wasting any more time I opened the url in a new tab and changed the value of width parameter. Guess what? It generated a wider image! Yay!
To exploit this behavior I wrote a script to request the following URL in lots of threads
and the website went down in less than a minute because the server had to generate a 2000×1200 image with 9999 random characters with rendered noise in it and its a lot of work which caused the server to crash.
I wish I had more stories about CAPTCHA bypassing & exploitation but I have not :’)