1. Home
  2. Training Library
  3. Web Penetration Testing with Juice Shop

Captcha Bypass

Start course
Overview
Difficulty
Intermediate
Duration
2h 6m
Students
14
Description

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.

Transcript

Hi, within this lecture we're going to solve this problem, the submit 10 or more customer feedbacks within 10 seconds. Apparently, it has some sort of a captcha bypass or a captcha bypass challenge. So, let's see it. Let's go to customer feedback. As you can see, it's asking for a captcha. If you come over here you can see the author is test2@gmail.com,  and in the comment section we can write anything we want, as long as we choose a rating, and as long as we do this math problem, we can submit it. For example, if I say 20, then it's going to come over here but I cannot do this very fast.

Even if I do this mathematic problems very fast, I cannot send 10 customer feedbacks with less than 10 seconds. As you can see, I can only send three or four maybe at most. So, how do we do that? First, we're going to have to understand what's going on in this captcha  and we can use Burp Suite in order to leverage that later on. I'm going to turn to intercept on off, and I'm going to come over here to network, in the inspect element. Let's see how we can use the network section. So, if we refresh this, as you can see, we see all the get requests and all the requests actually that has been made for this page and we haven't seen this before because we didn't have to, because we have seen everything in the Burp Suite but it can be sometimes helpful as well. For example, if you find this REST API okay, this thing over here, the captcha itself, you can see the details of the captcha in the network tab of this inspection.

So, you can see the response tab on the right hand side,  and in the response you can see the captcha result. So, as you can see it's asking for the answer, minus four in this case. this case. Of course, we don't have to come over here and see the answer, we can do the math ourselves, but we can see the logic behind this captcha. As you can see we have a captcha ID which is 11, in this case, and we have the captcha answer on the right hand side. So, what they did, they created a key-value pairing. So, in the key we have this captcha ID  which is 11  and for the value we are expecting to see the answer minus four. So, if we can find the answer, if we can find the capture ID, we can actually just use the same answer over here. So, we're going to do this on Burp Suite. So, let me come over here to submit. Okay, we can see every detail over there. I'm going to send this to repeater obviously, and as you can see we have the capture ID like 11 and captcha answer is -4. So, if I send this, it will be successful. So, if I send this couple of times like this, like ten times to be exact, then it means that I have sent this request ten times in less than 10 seconds. And as you can see, we actually solved this captcha bypass.

So, it was pretty easy to do that using repeater. So, if we go to administration right now, we can see all of these things. And by the way, as you can see, we are logged in as test2@gmail.com, and we created this with administrator privileges and we can reach the administration dashboard here as well. Which makes sense because we saw that challenge  in the previous lecture, and as you can see, we see all the ratings that we have left over here. We actually, we have left more than 10 in less than 10 seconds. So, we successfully solve that challenge. Thanks to Burp Suite, again. So, let's go back to scoreboard and see if we can find anything more fun to solve within this three star rating challenges. Let's do that in the next lecture.

About the Author
Students
909
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.