How to easily bypass human-machine authentication Captcha

The Writeup shared today is a simple human-computer authentication (Captcha) bypass method discovered by the author during the target website vulnerability test. The Chrome developer tools were used to create simple elements on the target website login page. The editor has implemented Captcha bypass.

Human-computer authentication (Captcha) usually appears on the registration, login and password reset pages of the website. The following is the Captcha mechanism arranged by the target website in the login page.

As you can see from the picture above, the user can only click the login button (Sign-IN) after checking "I'm not a robot" of the Captcha verification mechanism. Display will be enabled for users to click on. Therefore, based on this, I right-clicked the Sign-In button, and then used the "Inspect Element" function of Chrome Developer Tools to view the underlying elements of the Sign-In button. At this time, I found that it was in the " After the "Submit" action, the "Disable" attribute is defined. Well, then I will change it to "Enable" and give it a try.

With this change, the login button (Sign-IN) is displayed and clickable. Well, I am indeed not a robot. Human-machine authentication (Captcha) is here It became a decoration.

I was curious about the server-side verification method, so I used BurpSuite to capture packets in the above process. I found that the server did not verify the Captcha operation submitted by the user at the beginning, so , even if I delete the submitted Captcha session content, I can still jump to the login page without triggering the "Enable" attribute.

The above is the detailed content of How to easily bypass human-machine authentication Captcha. For more information, please follow other related articles on the PHP Chinese website!