How effective are CAPTCHA systems? – Digitalmunition

Home Forums How effective are CAPTCHA systems?

This topic contains 1 reply, has 2 voices, and was last updated by  brofistmedia 5 months, 2 weeks ago.

  • Author
  • #290498


    Are there bots that can decript them or are they more or less a full proof solution to brute force attacks?

  • #290499


    there are many different ones and they are not fool proof. I for example have a ML chrome extension that solves the gcaptcha v2 automatically for me… captcha are hard to get really right.

    gcaptcha v3 is finally usable without making your potential customers hate you 🙂

    As always it depends on your specific use case
    edit: extension name is buster captcha solver

    I’d say with some ML training you probably can defeat 90% of captchas out there. if not you can always farm captcha solving out.

  • #290500


    Tom Scott made a great video about it.


  • #290501


    Lots of a different captcha out there these days, so way too broad of a question.

    I know specifically the older poorly configured ones on say XXX site logins, that used /img.cptcha it could be as simple as adding the ‘success’ cookie response of a properly entered captcha. So before running your brute you would test the site in your browser with something like Fiddler, enter some bullshit login details, enter the correct captcha code, hit login.

    You would get back in the cookie, something like ‘pcar%ssdf4554=’ if you entered the captcha correct, or ‘pcah%’ if you didn’t (say intentionally to test, or just hit it wrong). Once you factored that into the additional details in your brute force config/setup, the captcha became irrelevant during the attack. Because the actual captcha of say 4n3IrO~ or whatever after each refresh of the page wasn’t even required anymore, the cookie response configured bypassed it. So poor captcha system.

    There was also something with XXX sites as well back, that were as simple as sending post data that was x==1 VS x==2 (as with those systems they also indicated simply a success or fail on whether or not the user entered the captcha correctly.

    Or even Sentry having an OCR wizard, you could load the sites specific captcha (older ones, not like Google Recap and such now) and configure it manually if a site had a funky one.

    Img quality kinda sucks, but like so. You could also build your own tesseract language if needed to include different characters/numbers/specials maybe not already in one of the include “languages” (see at the bottom in this screenshot where it shows cp5)


    The more modern tools like OpenBullet have captcha functionality built in if you have account with services such DeathByCaptcha, DeCaptcher, 2captcha.

    So in long, not even close to *fool*proof

  • #290502


    Mechanical Turk that shit

  • #290503


    They work well and are handled by a third-party (Google) so most vulnerablies with them will get fixed quickly (just make sure there aren’t any on your own server).

You must be logged in to reply to this topic.