Weak CAPTCHA Implementation

Introduction

If the CAPTCHA implemented in the Login page or change password page is validated on client side which can be bypassed by an attacker with the help of web proxy tools. As there is no server side validation for CAPTCHA which could allow to perform attacks like Brute force or automated submission for change password request for multiple uses.

Impact

Weak implementation of CAPTCHA allows an attacker to bypass the protection and perform further attacks which could result in user account compromise and denial of service.

This vulnerability affects the business and results in following:

• Loss of user confidence

• Loss of availability

• Loss of reputation

How To Test

Step 1

When try to login here without captcha it shown warning message as “You cannot leave Captcha Code Empty” like the below screenshot.

Step 2:

After filling the credentials and verifying the captcha to login as shown in the below screenshot.

• Go to the respective site (Eg: http://localhost/login.php)

• Open Burp suite Community Edition. Here, is the Blog to configuration on your browser.

• In burp suite, go to proxy tab and go to HTTP history. Then sent any request to the repeater by right click on the packet.as shown in the below screenshots.

In this request removed the “g-recaptcha-response” parameter and this value and send the request 302 response shown in the response.

It is successfully logged in to the home page even though we removed the captcha and send the request as shown in the below screenshots.

This major problem happened because of only captcha is validated in the client side not in the server side. So we easily logged into the application by the steps which is mentioned above.

How to Fix

We recommend the following best practices

• Server-side validation should be implemented.

• No CAPTCHA information should be stored on the client side.

• The client should have no "control" over the CAPTCHA content.

• CAPTCHA images should not be reused.