Image for post
Image for post

I don’t really look for captcha bypass, but this one specified that if a captcha bypass is found it will be rewarded.

So i started looking for the most common places where captcha can be found like signup, login and password reset pages. The one i found was on the Signin page.

As you can see the sign-in button is disabled and is only enabled after we check I’m not a robot. Since it was disabled, i quickly right clicked on the button and clicked Inspect Element and changed the disabled parameter to enabled.

The button was now enabled and i could click to sign.

Image for post
Image for post

So i entered the email and password and i was logged in without clicking on I’m not a robot. CAPTCHA BYPASSED

I was still curious how the request looked like, so i opened burpsuite and looked at the request and noticed that the server didn’t check for captcha’s response in the first place. I could simple remove the captcha-response and send it and it redirected me to the dashboard.

There was no need for me to enable the button, i just had to look at the request and remove the captcha response.

I made a quick POC, sent it to the security team and within a day they replied.

I had read previous reports like this in the past to bypass captcha but to find one was great. Hope you learned something from this and if you liked it then please do share and 👏.

Thank You.

Written by

Bug-Bounty | Pentester

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store