CAPTCHA

CAPTCHA Misconfiguration

Overview of the Vulnerability

A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge.

An attacker can bypass the CAPTCHA form and spam the website with queries for registration, login, as well as spam support teams with faulty requests.

Business Impact

CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker.

Steps to Reproduce

1. Navigate to the following endpoint with CAPTCHA: {{value}}

2. Use {{software}} to bypass CAPTCHA

Proof of Concept (PoC)

The screenshot(s) below demonstrates the CAPTCHA bypass:

{{screenshot}}

Recommendation(s)

The configuration of CAPTCHAs should be thoroughly tested for design and implementation flaws to prevent an attacker bypassing the CAPTCHA.

For more information, please see:

• https://cwe.mitre.org/data/definitions/804.html

• https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-009_CAPTCHA_Defeat