Breaking CAPTCHA without OCR


Breaking CAPTCHAs Without Using OCR
For my own PHP CAPTCHA implementation, click here.

This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software. It depends on an implementation problem that was quite common among CAPTCHA scripts when I originally published this in May 2005.
Most CAPTCHAs don’t destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.

I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.

manual steps:
connect to captcha page
record session ID and captcha plaintext

automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;

name=bob&email=&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually

the other user data can change on each request

you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text.

This is easy to fix, here’s the vulnerable pseudocode:

if form_submitted and captcha_stored!=”” and captcha_sent=captcha_stored then
process_form();
endif:

fixed psuedocode:

if form_submitted and captcha_stored!=”” and
captcha_sent=captcha_stored then
captcha_stored=””;
process_form();
endif:

- it’s a one line fix!

Vulnerable CAPTCHA Scripts
tested scripts: (list taken from wikipedia’s CAPTCHA page)

scripts were first tested during May 2005, and re-tested in August 2005.

————————————————-
humanVerify (Multilingual)
vulnerable (this product has 325 registered users)
————————————————-
drupal Captcha (PHP)
4.4- vulnerable, 4.5+ OK
————————————————-
del.icio.us/register
was vulnerable, fixed after I alerted them
————————————————-
tacs 0.1.2 (PHP)
vulnerable
————————————————-
gotcha (PHP)
vulnerable
UPDATE:
no longer vulnerable
————————————————-
Lanap BotDetect (ASP/ASP.NET)
vulnerable
UPDATE:
no longer seems vulnerable, not 100% sure.
————————————————-
code project CAPTCHA (ASP)
vulnerable
————————————————-
freeCap (my own script) (PHP)
1.3+ not vulnerable
————————————————-
audit (PHP)
not vulnerable
————————————————-
Block AutoSubmit (PHP)
not vulnerable
————————————————-
captchas.net service (python/PHP/PERL)
not vulnerable
————————————————-

“only as secure as the weakest link in the chain” springs to mind.

I also managed to automate requests to www.captcha.net’s demos, but having examined the implementation of their system, I think it’s only the -demo- that’s vulnerable.

I would appreciate info on other vulnerable/not vulnerable scripts, as I only have limited resources.

Another vulnerability that most CAPTCHA scripts have is again in their use of sessions; if you’re on an insecure shared server, any user on that server may have access to everyone else’s session files, so even if your site is totally secure, a vulnerability on any other website hosted on that machine can lead to a compromise of your session data, and hence, your CAPTCHA script. freeCap gets around this by only storing a hash of the CAPTCHA word in the session, thus even if someone can read your session files, they can’t find out what the CAPTCHA word is.

If you would like me to test your CAPTCHA scripts (for free), and give advice on how to protect against this type of attack, please email me at . Note that I’m not an OCR expert, and can’t help with anything to do with OCR (sorry!).

Traditional CAPTCHA-breaking software involves using image recognition routines to decode CAPTCHA images. This approach bypasses the need to do any of that, making it easy to hack CAPTCHA images. What’s great though is that it is really simple to fix, which means your scripts and programs have no excuse to be insecure now!


Related Posts:

, , , , , ,

  1. #1 by Anwar on May 17, 2009 - 5:02 am

    thanks ! its helpful

  2. #2 by James on June 9, 2009 - 8:37 pm

    Will this work with lylacaptcha?? Is there anything that does?

  3. #3 by essays online on October 12, 2009 - 8:17 am

    what is the reason of breaking captcha?

    • #4 by prepaid simcards on October 27, 2009 - 7:59 pm

      The reason would be to automate the submission of a form (such as a register form)

  4. #5 by online ocr on October 29, 2009 - 1:01 pm

    Thanks for sharing this info.
    Some online OCR services are usefull too.
    This one for example http://www.newocr.com/

  5. #6 by gry planszowe on December 10, 2009 - 11:14 am

    Great post! This is cool tric to bypass captcha :) however it won’t work with many sites I still find some where it works :)

  6. #7 by n.prabhu on December 12, 2009 - 9:28 am

    we need some online ocr works

  7. #8 by Jonny on January 8, 2010 - 10:14 pm

    how does a captcha seem to direct me to one of two servers on a gaming site? is the choice of server random or do the numbers play a part?

  8. #9 by Sleem on January 20, 2010 - 10:38 pm

    Does anyone recommend a good software that breaks CAPTCHAs? with a good success rate?

    plz send me a message on my web site, thanks

  9. #10 by Rawkon on April 21, 2010 - 5:07 pm

    how can i use this exploit?
    i didn’t understand anything…

  10. #11 by iPhone4Spiel on July 17, 2010 - 12:51 am

    How did you manage the request to server? I downloaded the image and solved it manually but when i resubmit it it fails..

  11. #12 by difference on September 20, 2010 - 4:16 am

    Hi, it seams tacs 0.1.2 (PHP) is no longer vulnerable.

  12. #13 by net voyance on September 20, 2010 - 5:03 am

    I’m agree with you, tacs 0.1.2 isn’t vulnerable now…

  13. #14 by egipt wakacje on September 23, 2010 - 6:08 am

    @up – you know it’s now hard to find those type of captcha cause people already know about this bug and are flodded with spam. However it’s worth trying to find such a site cause you can still find really good spot to spam;)

  14. #15 by Jackson on October 2, 2010 - 1:58 am

    If you are today looking for an OCR tool compatible with any platforms like Windows, Linux and Mac, a site that can do OCR for you online may attract you: goodocr.com. The result looks promising to me (English only).

  15. #16 by sprachreise für schüler on October 18, 2010 - 3:48 am

    Bad thing. Broken captchas are a security problem for my site too.

  16. #17 by Death By Captcha on October 22, 2010 - 11:19 am

    Hi Guys,
    If this exploit didn’t work for you, you can always try Human Solving Services. They’re ususally under $2 per 1K CAPTCHA that are correctly solved.

    Check out Death By Captcha, they’re only $1.39 for 1K CAPTCHA.

  17. #18 by chomikuj wyszukiwarka on November 10, 2010 - 2:57 am

    These are some great ideas to break captchas:) However more of this is nowadays complicated and have some more security addons. I think that the best option is to use some captcha breaking services.

  18. #19 by tunezja on November 15, 2010 - 2:39 am

    This is still good method but needs a little twist:) If you find proper script in which you can bypass captcha the easy way you can find a lot of websites with long history on which you can put your link :)

  19. #20 by GEORGEMORON on November 16, 2010 - 8:00 am

    Uh oh
    This probably won’t work with WordPress ReCaptcha and Shitmail.me :(

  20. #21 by Janib Soomro on November 21, 2010 - 10:36 pm

    Nice sharing but it would be more easir for newbies to undertand it you could tell us how to obtain the PHPSessionID or remaining technical details!

  21. #22 by egipt wakacje on November 22, 2010 - 3:24 am

    You can check how to obtain the PHPSession in the php manual. There are also a lot of examples in the internet look for ‘curl phpsession’ and you will find it :)

  22. #23 by Pascal on November 25, 2010 - 5:27 pm

    tacs 0.1.2 (PHP)

    >> broken link

  23. #24 by Gustavo on December 14, 2010 - 7:18 am

    Ola gostaria de manter a sessao de um website, e gostaria de sua ajuda, voce pode me ajudar?

  24. #25 by Bagesh kumar bagi on December 20, 2010 - 3:23 am

    can u give me the coding of generating capture……..

    plese sen this code at

  25. #26 by bypasscaptcha.com on January 11, 2011 - 1:31 am

    You are right. It is a little hard for them to ignore this, because they can not change details in SESSION. If they do not, when you open two windows, there will be problems because they share the same SESSION. However, as recaptcha.net did, you can just record all generated captchas and record whether they have already been used :) This waste database space, but it helps.

  26. #27 by Perth immigration agent on February 10, 2011 - 9:37 pm

    Bagesh kumar bagi, google Gotcha and you’ll find the captcha script. Otherwise, depending on the purpose use something like jotform – it takes a lot of the work out of it.

  27. #28 by bali ratih on February 28, 2011 - 8:20 am

    broken captcha will be problem
    for all admin website

  28. #29 by Seoine Kubaseoträume on March 3, 2011 - 10:04 am

    good work, many thanks for sharing!

  29. #30 by Insider on March 3, 2011 - 2:01 pm

    What a cool idea, great. ;-)

  30. #31 by Garagentorantriebe on March 21, 2011 - 2:21 am

    great code from you thanks for sharing it

  31. #32 by KubaSeoTräume on March 24, 2011 - 12:40 pm

    Sounds interesting!
    so i will try to break the captcha, wish me the best ;)

  32. #33 by iPhone4 on April 11, 2011 - 1:32 am

    thanks for sharing

  33. #34 by Kint Verbal on September 15, 2011 - 12:01 pm

    Cauldron, what if you had to choose between a backbreaking job and typing some billion letters you see on 100 screens at the same time all day?

  34. #35 by Gummipuppe on September 18, 2011 - 3:56 pm

    Thanks for sharing this code. It will find use for me.

  35. #36 by Pev on January 18, 2012 - 3:29 pm

    Thank you for sharing the code I will use it as soon as possible. I’m agree with you man and we’re trying to find a good software in order to break Captcha.

  36. #37 by Nineteen Nike on June 30, 2012 - 1:28 pm

    where’d nice am jealous ;) would you rent me ad space for monthly fee ?

  37. #38 by James on July 25, 2012 - 4:31 pm

    I think the pseudo-code fix is flawed. Maybe I’m wrong, but it seems to me that you should be unsetting the captcha data in the session regardless of a true/false result in your condition. Otherwise it will only clear the session data on a successful post.

  38. #39 by PC Support on July 31, 2012 - 3:21 pm

    however it won’t work with many sites I still find some where it works :)

  39. #40 by george on August 24, 2012 - 4:55 pm

    Can we get an update on this please? :)

  40. #41 by cauldron on August 29, 2011 - 3:45 am

    Well if you had to choose between a backbreaking job and typing some letters you see on the screen all day?

    you americans are way too spoiled

  41. #42 by Kint Verbal on September 15, 2011 - 12:02 pm

    What if you had to choose between a backbreaking job and typing some hundred million letters you see on 100 different screens at the same time all day?

    You sir are not thinking far ahead.

Comments are closed.