While we did our CAPTCHA TEST DRIVE we realized that those JavaScript captchas we used for testing (like QapTcha and AJAX FANCY CAPTCHA) can be easily bypassed by sending a couple of simple POST requests.
Why are these captchas so vulnerable? The reason is that every good captcha should make the human mind (i.e. its ability to recognize images, for example) an integral part of the client-server communication. Look, for example, at an ordinary character captcha like Securimage. Unless a man recognizes the image, the browser has nothing to send to the server. To achieve this, the puzzle is constructed on the server side, and the server alone knows what the answer is (and, of course, also those who can solve the puzzle, i.e. humans). But when we talk about so-called JavaScript captchas, the puzzle is often constructed on the client side, making any web scraper able to construct the answer using the same source data.
Now, let’s look at how easily those captchas can be bypassed. Both captchas use AJAX to send the solution, so we can simulate human activity with a couple of simple web requests.
QapTcha
This captcha presents us a nice iphone-like unlock model. But it can be bypassed by two simple POST-requests:
- action=qaptcha&qaptcha_key=qaptcha_crack
- qaptcha_crack=&<other form fields>
AJAX FANCY CAPTCHA
Though this captcha is also very nice and fancy, it still can be bypassed by another two simple requests:
- Request /fancy-captcha/captcha.php and it will return you a secret number
- Send this secret number in a POST parameter named “captcha” on the form submission
Conclusion
Even if some CAPTURE mechanisms look to be outwardly impregnable, they still can be easily bypassed if the puzzle to be solved is constructed on the client side by means of JavaScript (and especially if the secret is transferred via AJAX). So be on the alert! 🙂