CAPTCHA is an acronym for “Computer Automated Public Turing test to tell Computers and Humans apart”. It is used to determine whether or not the user is human.
Many times, a CAPTCHA is an image. A human has to solve it using the challenge response system. A human can usually read it without too much difficulty. Figure below is an example of a CAPTCHA. The user has to prove that he is not a robot by writing the characters of image as an answer to the CAPTCHA. If it is correct, then the application accepts the action (login, registration, forgot password). If the answer is wrong then the user is stopped at that point and is presented with a new CAPTCHA until he answers correctly.
There are certain functionalities that are needed to be protected against brute force attacks. For example:
Some functionalities require users to submit form and it is later approved by the site administrator. Examples of such are: apply for a membership, contact us, feedback form, survey etc. These need to be well protected against bots. If not then it will lead to:
Certain sites which contain very large amount of data are vulnerable to from data mining attack. They need to protect themselves from such abuse and need a CAPTCHA implementation. Example of such sites: social networking and search engines.
CAPTCHA is bypassed due to two reasons:
In this blog, we will witness design and implementation issues. We will also see how to crack them, why they are vulnerable and how we can make a secure CAPTCHA.
The design issue means that the CAPTCHA design is weak in nature but there is nothing wrong with its implementation. Following demonstrations will help us understand what a design issues really is and how it can be cracked:
The CAPTCHA is nothing but an arithmetic operation that the user needs to perform. The mathematical question is in the HTML source code of the page on which CAPTCHA is presented.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/ArithmeticCAPTCHA
All the attacker has to do in this case is to fetch the source code, compute the answer and submit the HTTP Response to crack the CAPTCHA.
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
The CAPTCHA has a limited database of questions. It is an image based CAPTCHA which cannot be cracked by reading the HTML source code and then computing answer and submitting it. But the problem lies in the limited number of questions. In the below CAPTCHA, there are only 10 challenges that keep on iterating, thus making itself vulnerable.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/TenRepeatedCAPTCHA
The attacker has to manually once solve the 10 CAPTCHA questions. and at the same time has to note down answers to corresponding questions. After that, a tool can be made to keep on cracking them constantly. The tool fetches the questions looks for the answer in its own database and then cracks it.
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
The implementation issues means that the CAPTCHA can be cracked due to weak implementation, but it is perfect from design point of view.
Following demonstration will help us understand what an implementation issues really are and how they can be cracked:
In demo, we are using Google reCAPTCHA. We use an API that sends the response of CAPTCHA solved by user to Google’s endpoint. More about it here: https://www.google.com/recaptcha/intro/index.html . The API replies to the request in the form of JSON output. Along with a HTTP Status code. So far so good !!
But the implementation issue arises here because the developer fails to check the JSON response, but instead of that he checks the HTTP Status code which is sent as 200 OK for correct and incorrect CAPTCHA responses both.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/blob/master/GooglereCAPTCHA/weakcaptcha1.php
Note: The above scenario was a bug submitted by me in a bug bounty program. It was accepted and security team told me that they implemented their CAPTCHA in this particular way i.e. they only checked the status code and not the JSON response. 🙂
The attacker simply has to make a script that will send any value to CAPTCHA and the server will accept it because no matter what the answer you sent, the server will only check whether the status code sent by Google API is 200 OK or not (It will be always 200 OK 🙂 ). In the below image, the value we are sending as answer is ‘InvalidAnswerOfCAPTCHA’
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
The CAPTCHA is present on the web page, but after it has been submitted, it is validated but a simple mistake in if and else clause makes it vulnerable. The mistake is that the developer writes a positive response code in the else part also. So even if the CAPTCHA answer is wrong the application will give positive response to the user.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/blob/master/GooglereCAPTCHA/weakcaptcha2.php
The attacker simply has to make a script that will send any value to CAPTCHA. In the below image, the value we are sending as answer is ‘InvalidAnswerOfCAPTCHA’
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
The CAPTCHA is present on the web page, but after it has been submitted, it never validated on the server side.
You can download this CAPTCHA code from here:
So, by simply entering wrong CAPTCHA answer and an arbitrary value of email, an attacker can bypass it.
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
The solution to this is very simple. Follow these steps in making a strong CAPTHCA functionality:
You can download the secure CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/blob/master/GooglereCAPTCHA/goodcaptcha.php
It is a business requirement to have CAPTCHA on certain functionalities. If CAPTCHAs are insecure, then this can lead to extraction of sensitive data using tools, attack on authentication, DOS to user and admins. All this will result in reputation loss for the site owner. In order to set a right CAPTCHA, have a CAPTCHA which has a good design and implement it well.
Github link for all the scripts: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script