Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

OWASP Automated Threats - CAPTCHA Defeat (OAT-009)

Kyle_Roberts
F5 Employee
F5 Employee

on ‎11-Aug-2022 05:00 - edited on ‎27-Apr-2023 14:35 by Community Manager

Introduction:

In this OWASP Automated Threat Article we'll be highlighting OAT-009 CAPTCHA Defeat with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how CAPTCHA Defeat works with Automation Tools to allow attackers to accomplish their objectives despite the presence of CAPTCHA's intended purpose of preventing unwanted automation. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.

CAPTCHA Defeat Description:

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyse and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. Apart from conventional visual and aural CAPTCHA, puzzle solving mini games or arithmetical exercises are sometimes used. Some of these may include context-specific challenges.

The process that determines the answer may utilise tools to perform optical character recognition, or matching against a prepared database of pre-generated images, or using other machine reading, or human farms.

OWASP Automated Threat (OAT) Identity Number

OAT-009

Threat Event Name

CAPTCHA Defeat

Summary Defining Characteristics

Solve anti-automation tests.

OAT-009 Attack Demographics:

Sectors Targeted Parties Affected Data Commonly Misused Other Names and Examples Possible Symptoms
Education Application Owners Authentication Credentials Breaking CAPTCHA High CAPTCHA solving success rate on fraudulent accounts
Entertainment     CAPTCHA breaker Suspiciously fast or fixed CAPTCHA solving times
Financial     CAPTCHA breaking  
Government     CAPTCHA bypass  
Retail     CAPTCHA decoding  
Social Networking     CAPTCHA solver  
      CAPTCHA solving  
      Puzzle solving  

CAPTCHA Defeat Demo:

In this demo we will be showing how it’s possible to leverage real human click farms via CAPTCHA solving services like 2CAPTCHA to bypass reCAPTCHA. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.

 

In Conclusion:

CAPTCHAs are only a speed bump for motivated attackers while introducing considerable friction for legitimate customers. Today, we’re at a point where bots solve CAPTCHAs more quickly and easily than most humans. Check out our additional resource links below to learn more.

OWASP Links

F5 Related Content

Labels:
Comments
Ted_Byerly
Legacy Employee
Legacy Employee
‎11-Aug-2022 12:33

Very nice video and explaination of how easy it is to bypass CAPTCHA

Version history
Last update:
‎27-Apr-2023 14:35
Updated by:
Community Manager
Copyright © 2023 Khoros, LLC