Information Security

Hacking OWASP’s Juice Shop Pt. 20: CAPTCHA Bypass

Posted on by codeblue04

Challenge: 

Name:  CAPTCHA Bypass

Description: Submit 10 or more customer feedbacks within 10 seconds.

Difficulty: 3 star

Category: Broken Anti-Automation

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-anti-automation.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

As usual, I started with the expanded description, which provided three possible methods for completing this challenge. Only one looked appealing, however.

Submit 10 or more customer feedbacks within 10 seconds The Contact Us form for customer feedback contains a CAPTCHA to protect it from being abused through scripting. This challenge is about beating this automation protection. A completely automated public Turing test to tell computers and humans apart, or CAPTCHA, is a program that allows you to distinguish between humans and computers. First widely used by Alta Vista to prevent automated search submissions, CAPTCHAs are particularly effective in stopping any kind of automated abuse, including brute-force attacks. They work by presenting some test that is easy for humans to pass but difficult for computers to pass; therefore, they can conclude with some certainty whether there is a human on the other end For a CAPTCHA to be effective, humans must be able to answer the test correctly as close to 100 2 percent of the time as possible. Computers must fail as close to 100 percent of the time as possible. • You could prepare 10 browser tabs, solving every CAP TCHA and filling out the each feedback form. Then you'd need to very quickly switch through the tabs and submit the forms in under 10 seconds total. • Should the Juice Shop ever decide to change the challenge into "Submit 100 or more customer feedbacks w,'thin 60 seconds" or worse, you'd probably have a hard time keeping up with any tab- switching approach. • 'Investigate closélVhoWtheCAPTCHAnechamsmyorksanfftrytOfindéitheV4 automatedwayofsolvingutdynamcally Wrap this into a script (in whatever programming language you prefer) that repeats this 10 times.

First let’s figure out how the CAPTCHA mechanism works. I set up Burp and FoxyProxy, then made my way to the Customer Feedback form.

Customer Feedback Author - anonymous Comment burpsuite go brrrr O Max. 160 characters 18/160 Rating CAPTCHA: Result 14 What is 7+6+1 ? Submit

Nothing on the screen jumped out at me, so after filling in the form, I sent it off to Burp for analysis.

Burp Project Dashboard Send Request Intruder Repeater Window Help Logger++ HIT P Request Smuggler Target Intruder Repeater Sequencer Decoder Comparer Extender proje Params Headers Pretty Raw Actions V 1 POST /api/Feedbacks/ HTTP/I.I Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, 4 Accept S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate 7 Content -Type: application/ j son Content -Length: 84 Origin: http // I Ocal host 3000 10 Connection: close Referer: http://localhost : 3000/ rv.78.o) Gecko,'20100101 Firefox,'78.o 12 Cookie: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss, con 14 { 'captchald' 'captcha comment rating" : I 'burpsuite go brrrr Search (anonymous) O matches
If you change the rating to “0”, you can also solve the “Zero Stars” challenge.

If “captchaId” is always 0, and the answer to “captchaId” 0 is always 14, then all that really needs to be done to bypass the CAPTCHA and complete the challenge is to send the packet to Burp’s Repeater tab and spam the “Send” button until you see…

You successfully solved a challenge: CAPTCHA Bypass (Submit 10 or more customer feedbacks within 10 seconds.) x

Prevention and Mitigation Strategies:

Use actual CAPTCHA, only allow registered users to submit feedback, and limit the number of feedback comments each registered user is allowed to submit in a given time span.

Lessons Learned and Things Worth Mentioning: 

  1. CAPTCHA is successful for a variety of reasons. Home-brewed CAPTCHA copies are never going to be as sophisticated as the real thing.
  2. While the other two methods suggested in the expanded description would all work, I chose this method because every bit of practice I can get with Burp Suite helps me get more comfortable with it.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s