This repository is a dockerized PHP application containing some captcha logical bypass challenges (scenarios).
OWASP References:
- Classification: Web Application Security Testing > 04-Authentication Testing
- WSTG: Testing for Weak Lock Out Mechanism(WSTG-ATHN-03)
- OTA: CAPTCHA Defeat(OAT-009)
The ideas behind challenges are:
- Bypass using empty captcha
- Bypass by removing captcha parameter
- Bypass using the logical bug in generation and expiration of captcha
- Bypass using PHP type juggling
- Bypass captchas that are shown after specific number of wrong tries
- Bypass captchas that are shown after specific number of wrong tries from a specific IP (Website is behind WAF)
Using docker hub (Quickest):
- To access the challenges, you need docker installed.
- Run this command to pull and run the image from docker hub:
sudo docker run -d -p 9002:80 moeinfatehi/captcha_logical_bypass_scenarios - Access the challenges with this URL: http://localhost:9002
Using docker-compose:
- To access the challenges, you need docker and docker-compose installed.
- Clone the repository
git clone https://github.com/moeinfatehi/captcha_logical_bypass_scenarios.git - Open the main directory of the project (where docker-compose.yml file exists) and run:
docker-compose up - Access the challenges with this URL: http://localhost:9002
This project is for educational purposes ONLY. The usual disclaimer applies, especially the fact that I'm not liable for any damages caused by the direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these projects you accept the fact that any damage (data loss, system crash, system compromise, etc.) caused by the use of this program is not my responsibility.
If you have any further questions, please don't hesitate to contact me via my twitter account.