hacktricks/pentesting-web/captcha-bypass.md
carlospolop 1fa9f77ec3 change
2023-04-05 14:02:54 +02:00

3.9 KiB

HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

Captcha Bypass

To automate the testing of some functions of the server that allows user input it could be needed to bypass a captcha implementation. Therefore, try to test for these things:

  • Do not send the parameter related to the captcha.
    • Change from POST to GET or other HTTP Verbs
    • Change to JSON or from JSON
  • Send the captcha parameter empty.
  • Check if the value of the captcha is in the source code of the page.
  • Check if the value is inside a cookie.
  • Try to use an old captcha value
  • Check if you can use the same captcha value several times with the same or different sessionID.
  • If the captcha consists on a mathematical operation try to automate the calculation.
  • If the captcha consists of read characters from an image, check manually or with code how many images are being used and if only a few images are being used, detect them by MD5.
  • Use an OCR (https://github.com/tesseract-ocr/tesseract).
HackTricks in 🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥