Captcha Bypass - Sapsan Pentesting Notes

Captcha Bypass

To automate the testing of some functions of the server that allows user input it could be needed to bypass a captcha implementation. Test these things:

Do not send the parameter related to the captcha.
Send the captcha parameter empty.
Check if the value of the captcha is in the source code of the page.
Check if the value is inside a cookie.
Check if you can use the same captcha value several times with the same or different sessionID.
If the captcha consists on a mathematical operation try to automate the calculation.
If the captcha consists on read characters from an image, check manually or with code how many images are being used and if only a few images are being used, detect them by MD5.
Use an OCR (https://github.com/tesseract-ocr/tesseract).