Bypassing CAPTCHA
This is why CAPTCHAs are insecure
Last updated
This is why CAPTCHAs are insecure
Last updated
Anti-Automation, also known as rate limiting prevents attackers from using tools and bots to repeatedly conduct actions within a platform. For example, a web application may resell event tickets which are posted by application users.
A bot may be executed by an attacker to repeatedly use the search functionality until a set of tickets are available to buy. This would strain the web servers computing resources but also be an unfair advantage to the attacker by gaining the ability to buy the tickets quicker than others
To prevent this occurrence, anti-automation could be used to ensure malicious users are not able to automate a process that should be performed via manual interactions. Anti-automation may be present in various forms. For example, Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA), WAF, API Request limiting and more.
It is really easy to bypass CAPTCHA services that use picture or audio puzzles. Very commonly, Google CAPTCHA V2 is used on web platforms and is vulnerable to bypass due to one of several reasons. These being CAPTCHA farms, Optical Character Recognition and audio to text services.
In this article, we're going to use 'buster', a tool in the Google Chrome and Firefox add-on stores that will easily bypass CAPTCHA services:
Using this tool with along with Google's own speech-to-text service, we will bypass CAPTCHAs:
Sign up to G-Cloud and enable Speech-To-Text
https://console.cloud.google.com/speech/
Create G-Cloud API Key
Download Buster Firefox plugin
https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver
Set G-Cloud API Key within Buster options
Bypass captcha, as shown in the video below
If you want to see this in practice, check out the video below:
Various types of anti-automation mitigation exist to rate limit, restrict traffic, and prevent bots from scraping web applications. In many cases, a CAPTCHA would be enough to deter basic automation and manual attackers. However, when you are faced with advanced attackers looking to access the web application, an advanced bot protection solution must be used.
Advanced bot protections do not typically use any form of CAPTCHA or user input data. Rather, an advanced bot protection solution secures the access points of the website by analyzing the traffic. It categorizes the traffic as a human, a good bot, or a bad bot. Thereafter, it collects and analyzes the bot traffic and finds anomalies in them using machine learning.
Various data models identify real-time bot behavior through comparison with a vendors own violator database, as well as other detection parameters like device fingerprints. This helps determine malicious bots that are hidden behind shared IP space.