CAPTCHA Bypass#
CAPTCHA is mainly used for login verification in login forms to prevent brute force attacks. If the CAPTCHA module is not properly configured, such as client-side validation or non-expiring server-side CAPTCHA, the CAPTCHA becomes ineffective.
There are generally the following types of CAPTCHAs:
- Image CAPTCHA
- SMS CAPTCHA
- Email CAPTCHA
- Slide CAPTCHA
- Voice CAPTCHA
SMS CAPTCHA#
CAPTCHA Brute Force#
Most SMS CAPTCHAs are 6-digit codes, which are not easy to crack. However, if a 4-digit code is used and the expiration time and number of sending attempts are not limited, it can be attempted to crack.
A 4-digit code only needs to be cracked 10,000 times, which is relatively small, in the range of 0000 to 9999.
Case 1: Arbitrary User Registration
The attacker fills in any mobile phone number for registration. The server sends a SMS CAPTCHA to the mobile phone number provided by the attacker. In this case, the CAPTCHA is a 4-digit code, and the range of the CAPTCHA is set to 0000 to 9999. The CAPTCHA is cracked, and an account is automatically registered.
The success of the cracking can be determined by the returned data packet.
As shown in the above figure, the correct CAPTCHA can be determined by the length of the returned value, which is 49.
Fix Suggestions:
To prevent CAPTCHA brute force testing, it is recommended to implement the following reinforcement measures:
(1) Set the expiration time of the CAPTCHA to 180 seconds;
(2) Limit the number of failed attempts of the CAPTCHA within a certain period of time, such as locking the account for 15 minutes if there are 5 consecutive failures within 5 minutes.
CAPTCHA Bypass Testing#
Vulnerability Principle:
In some cases, by modifying the data returned by the server after submitting the front-end, it is possible to bypass the CAPTCHA and execute our own requests.
Testing Process:
The attacker enters the registration account page, enters any mobile phone number, obtains the CAPTCHA, fills in any CAPTCHA on the registration account page, submits the request, captures the packet, uses a packet capture tool to view and modify the returned packet information, forwards the returned data packet, and checks whether the registration is successful.
Modify the response packet
Fix Suggestions:
To address this vulnerability, it is recommended to add a CAPTCHA authentication mechanism on the server side to perform secondary verification on the CAPTCHA submitted by the client.
Reuse of CAPTCHA#
Vulnerability Principle:
On the login or comment pages of a website, if the CAPTCHA authentication is successful and the session is not cleared in a timely manner, the CAPTCHA can be reused after the first successful authentication. During testing, capturing the data packet with the CAPTCHA and repeatedly submitting it can determine whether the submission is successful.
Testing Process:
The attacker registers an account through the normal process, enters the CAPTCHA on the page, captures the submitted data packet, modifies the username field in the data packet, and then repeatedly submits it to see if multiple accounts can be successfully registered.
Fix Suggestions:
To address the issue of CAPTCHA authentication attempts, it is recommended to clear the session of the successful authentication after the CAPTCHA is authenticated once. This effectively prevents the problem of repeated use of the CAPTCHA after a single authentication.
CAPTCHA GET Transmission Leakage#
As can be seen, the CAPTCHA is in the GET packet, and the CAPTCHA can be directly obtained. In this way, even if a valid mobile phone number is not required, the CAPTCHA can still be entered.
SMS Bombing#
Vulnerability Principle:
In the SMS sending module, if the number of SMS sending attempts is not limited, it can lead to unlimited sending of SMS CAPTCHAs.
Testing Process:
The attacker fills in the mobile phone number in the SMS sending field, clicks to send the CAPTCHA, captures the packet, and repeatedly sends the packet to see if multiple SMS CAPTCHAs can be received within 1 second. If multiple CAPTCHAs can be received, it indicates the existence of an SMS bombing vulnerability.
Some bypass methods:
- Bypass using spaces
- Bypass by modifying cookie values
- Bypass by IP
- Bypass by modifying return values
- Bypass by sending SMS with different accounts
Image CAPTCHA#
CAPTCHA Bypass (on client)#
JavaScript front-end validation
Disable JavaScript
Browser F12-Settings-Disable JavaScript
Go to the login box
Capture with Burp
Successful brute force with Intruder
CAPTCHA Bypass (on server)#
The same CAPTCHA can be used multiple times without expiration, and it can be brute-forced to successfully log in.
Automatic Recognition Testing of Image CAPTCHA#
Download captcha-killer-modified#
Download the JAR file at Releases
Load this JAR file in Burp Suite
Then download the captcha-killer-modified source code repository, which requires the codereg.py file, which is used to start the CAPTCHA recognition module and requires the installation of the ddddocr library.
git clone https://github.com/f0ng/captcha-killer-modified.git
Install the ddddocr Library#
Repository address: https://github.com/sml2h3/ddddocr
Note: My environment is Mac M1 Pro
# Install onnxruntime with brew
brew install onnxruntime
pip3 install ddddocr # Error occurs when installing and running codereg.py with Python 3.9
Install aiohttp with Python 3.10
pip310 install aiohttp -i http://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com
Run python310 codereg.py
Error: TypeError: The port is required to be int.
Solution to the error:
Change default="8888"
in the script to default=8888
and run it again
Run python310 codereg.py
again, it works fine
Practical Case 1#
The target is the Pikachu target
- Burp requests the CAPTCHA URL
Request the CAPTCHA URL, click to get it, and you can get the CAPTCHA on the right side
The left side of the above figure can capture a packet of the login box first, and then modify the URL in the POST to the URL of the CAPTCHA. The right side of the figure is sent to the captcha-killer-modified plugin.
Other cases, extract keywords
- Set the ddddocr API URL
Set the request template, Request template
POST /reg HTTP/1.1
Host: 127.0.0.1:8888
Authorization:Basic f0ngauth
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 8332
<@BASE64><@IMG_RAW></@IMG_RAW></@BASE64>
Set the interface address to: http://127.0.0.1:8888, the service started by codereg.py
Set as follows:
The content of the captcha-killer-modified panel at this time is as follows, accurately recognizing the CAPTCHA
- Start Intruder Brute Force
- Set the attack type to pitchfork
- Brute force the password field and the vcode CAPTCHA field
Set the payload for the password field
Set the payload for the CAPTCHA
Final recognition rate, the CAPTCHA used in the target is relatively complex.
Output of codereg.py
References#
- https://gv7.me/articles/2019/burp-captcha-killer-usage/
- Book reference: "Web Attack and Defense Business Security Practical Guide"