cancel
Showing results for 
Search instead for 
Did you mean: 
Kyle_Roberts
F5 Employee
F5 Employee

 

Introduction:

In this OWASP Automated Threat Article we'll be highlighting OAT-009 CAPTCHA Defeat with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how CAPTCHA Defeat works with Automation Tools to allow attackers to accomplish their objectives despite the presence of CAPTCHA's intended purpose of preventing unwanted automation. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.

CAPTCHA Defeat Description:

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyse and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. Apart from conventional visual and aural CAPTCHA, puzzle solving mini games or arithmetical exercises are sometimes used. Some of these may include context-specific challenges.

The process that determines the answer may utilise tools to perform optical character recognition, or matching against a prepared database of pre-generated images, or using other machine reading, or human farms.

OWASP Automated Threat (OAT) Identity Number

OAT-009

Threat Event Name

CAPTCHA Defeat

Summary Defining Characteristics

Solve anti-automation tests.

OAT-009 Attack Demographics:

Sectors Targeted Parties Affected Data Commonly Misused Other Names and Examples Possible Symptoms
Education Application Owners Authentication Credentials Breaking CAPTCHA High CAPTCHA solving success rate on fraudulent accounts
Entertainment     CAPTCHA breaker Suspiciously fast or fixed CAPTCHA solving times
Financial     CAPTCHA breaking  
Government     CAPTCHA bypass  
Retail     CAPTCHA decoding  
Social Networking     CAPTCHA solver  
      CAPTCHA solving  
      Puzzle solving  

CAPTCHA Defeat Demo:

In this demo we will be showing how it’s possible to leverage real human click farms via CAPTCHA solving services like 2CAPTCHA to bypass reCAPTCHA. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.

 

In Conclusion:

CAPTCHAs are only a speed bump for motivated attackers while introducing considerable friction for legitimate customers. Today, we’re at a point where bots solve CAPTCHAs more quickly and easily than most humans. Check out our additional resource links below to learn more.

OWASP Links

OWASP Automated Threats to Web Applications Home Page

OWASP Automated Threats Identification Chart

OWASP Automated Threats to Web Applications Handbook

F5 Related Content

F5 Bot Defense Solutions

F5 Labs "I Was a Human CATPCHA Solver"

The OWASP Automated Threats Project

How Attacks Evolve From Bots to Fraud Part: 1

How Attacks Evolve From Bots to Fraud Part: 2

F5 Distributed Cloud Bot Defense

F5 Labs 2021 Credential Stuffing Report

Comments
Ted_Byerly
F5 Employee
F5 Employee

Very nice video and explaination of how easy it is to bypass CAPTCHA

Version history
Last update:
‎09-Aug-2022 15:22
Updated by:
Contributors