Physical attacks
Mobile Apps Pentesting
Pentesting

Captcha Bypass

Captcha Bypass

To automate the testing of some functions of the server that allows user input it could be needed to bypass a captcha implementation. Test these things:

  • Do not send the parameter related to the captcha.

  • Send the captcha parameter empty.

  • Check if the value of the captcha is in the source code of the page.

  • Check if the value is inside a cookie.

  • Check if you can use the same captcha value several times with the same or different sessionID.

  • If the captcha consists on a mathematical operation try to automate the calculation.

  • If the captcha consists on read characters from an image, check manually or with code how many images are being used and if only a few images are being used, detect them by MD5.