hacktricks/pentesting-web/captcha-bypass.md
Carlos Polop a268747dc2 A
2024-02-09 08:14:36 +01:00

5.4 KiB
Raw Blame History

Captcha Bypass

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Captcha Bypass

To bypass the captcha during server testing and automate user input functions, various techniques can be employed. The objective is not to undermine security but to streamline the testing process. Here's a comprehensive list of strategies:

  1. Parameter Manipulation:

    • Omit the Captcha Parameter: Avoid sending the captcha parameter. Experiment with changing the HTTP method from POST to GET or other verbs, and altering the data format, such as switching between form data and JSON.
    • Send Empty Captcha: Submit the request with the captcha parameter present but left empty.
  2. Value Extraction and Reuse:

    • Source Code Inspection: Search for the captcha value within the page's source code.
    • Cookie Analysis: Examine the cookies to find if the captcha value is stored and reused.
    • Reuse Old Captcha Values: Attempt to use previously successful captcha values again.
    • Session Manipulation: Try using the same captcha value across different sessions or the same session ID.
  3. Automation and Recognition:

    • Mathematical Captchas: If the captcha involves math operations, automate the calculation process.
    • Image Recognition:
      • For captchas that require reading characters from an image, manually or programmatically determine the total number of unique images. If the set is limited, you might identify each image by its MD5 hash.
      • Utilize Optical Character Recognition (OCR) tools like Tesseract OCR to automate character reading from images.
  4. Additional Techniques:

    • Rate Limit Testing: Check if the application limits the number of attempts or submissions in a given timeframe and whether this limit can be bypassed or reset.
    • Third-party Services: Employ captcha-solving services or APIs that offer automated captcha recognition and solving.
    • Session and IP Rotation: Frequently change session IDs and IP addresses to avoid detection and blocking by the server.
    • User-Agent and Header Manipulation: Alter the User-Agent and other request headers to mimic different browsers or devices.
    • Audio Captcha Analysis: If an audio captcha option is available, use speech-to-text services to interpret and solve the captcha.

Online Services to bypass captchas

Capsolver

Capsolvers automatic captcha solver offers the most affordable and quick captcha-solving solution. You may rapidly combine it with your program using its simple integration option to achieve the best results in a matter of seconds.

With a success rate of 99.15%, Capsolver can answer more than 10M captchas every minute. This implies that your automation or scrape will have a 99.99% uptime. You may buy a captcha package if you have a large budget.

At the lowest price on the market, you may receive a variety of solutions, including reCAPTCHA V2, reCAPTCHA V3, hCaptcha, hCaptcha Click, reCaptcha click, Funcaptcha Click, FunCaptcha, datadome captcha, aws captcha, picture-to-text, binance / coinmarketcap captcha, geetest v3 / v3, and more. With this service, 0.1s is the slowest speed ever measured.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: