hacktricks/pentesting-web/captcha-bypass.md

# Captcha Bypass

## Captcha Bypass

To **automate** the **testing** of some functions of the server that allows user input it **could** be **needed** to **bypass** a **captcha** implementation. Test these things:

* **Do not send the parameter** related to the captcha.
* Send the **captcha parameter empty**.
* Check if the value of the captcha is **in the source code** of the page.
* Check if the value is **inside a cookie.**
* Check if you can use the **same** captcha **value** several times with **the same or different sessionID.**
* If the captcha consists on a **mathematical operation** try to **automate** the **calculation.**
* If the captcha consists on **read characters from an image**, check manually or with code **how many images** are being used and if only a **few images are being used, detect them by MD5.**
* Use an **OCR** \([https://github.com/tesseract-ocr/tesseract](https://github.com/tesseract-ocr/tesseract)\).
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# Captcha Bypass`

			`## Captcha Bypass`

			`To automate the testing of some functions of the server that allows user input it could be needed to bypass a captcha implementation. Test these things:`

			`* Do not send the parameter related to the captcha.`
			`* Send the captcha parameter empty.`
			`* Check if the value of the captcha is in the source code of the page.`
			`* Check if the value is inside a cookie.`
			`* Check if you can use the same captcha value several times with the same or different sessionID.`
			`* If the captcha consists on a mathematical operation try to automate the calculation.`
			`* If the captcha consists on read characters from an image, check manually or with code how many images are being used and if only a few images are being used, detect them by MD5.`
			`* Use an OCR \([https://github.com/tesseract-ocr/tesseract](https://github.com/tesseract-ocr/tesseract)\).`