OWASP Automated Threats - CAPTCHA Defeat (OAT-009)
Introduction:
In this OWASP Automated Threat Article we'll be highlighting OAT-009 CAPTCHA Defeat with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how CAPTCHA Defeat works with Automation Tools to allow attackers to accomplish their objectives despite the presence of CAPTCHA's intended purpose of preventing unwanted automation. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.
CAPTCHA Defeat Description:
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyse and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. Apart from conventional visual and aural CAPTCHA, puzzle solving mini games or arithmetical exercises are sometimes used. Some of these may include context-specific challenges.
The process that determines the answer may utilise tools to perform optical character recognition, or matching against a prepared database of pre-generated images, or using other machine reading, or human farms.
OWASP Automated Threat (OAT) Identity Number
Threat Event Name
CAPTCHA Defeat
Summary Defining Characteristics
Solve anti-automation tests.
OAT-009 Attack Demographics:
| Sectors Targeted | Parties Affected | Data Commonly Misused | Other Names and Examples | Possible Symptoms |
| Education | Application Owners | Authentication Credentials | Breaking CAPTCHA | High CAPTCHA solving success rate on fraudulent accounts |
| Entertainment | CAPTCHA breaker | Suspiciously fast or fixed CAPTCHA solving times | ||
| Financial | CAPTCHA breaking | |||
| Government | CAPTCHA bypass | |||
| Retail | CAPTCHA decoding | |||
| Social Networking | CAPTCHA solver | |||
| CAPTCHA solving | ||||
| Puzzle solving |
CAPTCHA Defeat Demo:
In this demo we will be showing how it’s possible to leverage real human click farms via CAPTCHA solving services like 2CAPTCHA to bypass reCAPTCHA. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.
In Conclusion:
CAPTCHAs are only a speed bump for motivated attackers while introducing considerable friction for legitimate customers. Today, we’re at a point where bots solve CAPTCHAs more quickly and easily than most humans. Check out our additional resource links below to learn more.
OWASP Links
- OWASP Automated Threats to Web Applications Home Page
- OWASP Automated Threats Identification Chart
- OWASP Automated Threats to Web Applications Handbook
F5 Related Content
- Deploy Bot Defense on any Edge with F5 Distributed Cloud (SaaS Console, Automation)
- F5 Bot Defense Solutions
- F5 Labs "I Was a Human CATPCHA Solver"
- The OWASP Automated Threats Project
- How Attacks Evolve From Bots to Fraud Part: 1
- How Attacks Evolve From Bots to Fraud Part: 2
- F5 Distributed Cloud Bot Defense
- F5 Labs 2021 Credential Stuffing Report
