Skip to content

Latest commit

 

History

History
36 lines (30 loc) · 2.89 KB

File metadata and controls

36 lines (30 loc) · 2.89 KB

Docker Image Size (latest by date) Docker Pulls

Captcha Logical Bypass Scenarios (Challenges)

This repository is a dockerized PHP application containing some captcha logical bypass challenges (scenarios).

OWASP References:

  • Classification: Web Application Security Testing > 04-Authentication Testing
  • WSTG: Testing for Weak Lock Out Mechanism(WSTG-ATHN-03)
  • OTA: CAPTCHA Defeat(OAT-009)

Bypass Techniques

The ideas behind challenges are:

  • Bypass using empty captcha
  • Bypass by removing captcha parameter
  • Bypass using the logical bug in generation and expiration of captcha
  • Bypass using PHP type juggling
  • Bypass captchas that are shown after specific number of wrong tries
  • Bypass captchas that are shown after specific number of wrong tries from a specific IP (Website is behind WAF)

Quick Start Using Docker

Using docker hub (Quickest):

  1. To access the challenges, you need docker installed.
  2. Run this command to pull and run the image from docker hub:
    sudo docker run -d -p 9002:80 moeinfatehi/captcha_logical_bypass_scenarios
  3. Access the challenges with this URL: http://localhost:9002

Using docker-compose:

  1. To access the challenges, you need docker and docker-compose installed.
  2. Clone the repository
    git clone https://github.com/moeinfatehi/captcha_logical_bypass_scenarios.git
  3. Open the main directory of the project (where docker-compose.yml file exists) and run: docker-compose up
  4. Access the challenges with this URL: http://localhost:9002

Disclaimer

This project is for educational purposes ONLY. The usual disclaimer applies, especially the fact that I'm not liable for any damages caused by the direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these projects you accept the fact that any damage (data loss, system crash, system compromise, etc.) caused by the use of this program is not my responsibility.

Hack And Have Fun!

If you have any further questions, please don't hesitate to contact me via my twitter account.