Captcha Reuse Vulnerabilities: Real-World Exploits and Bypass Techniques
The article presents four practical case studies of captcha-related weaknesses—two showing how verifyId or UUID reuse lets attackers bypass image verification, one demonstrating a UUID‑bound bypass, and a fourth exposing a resource‑consumption flaw via manipulable height and width parameters.
Introduction
During penetration testing of a government system that disallowed credential sharing and passive scanning, the author focused on graphical captchas as a common defense against brute‑force attacks. By examining how captcha identifiers are handled, several reuse vulnerabilities were discovered.
Case 1: VerifyId Reuse
The login page includes a verifyId field tied to the captcha image. Removing this field causes a server error, indicating its importance. The tester captured a login request, submitted an incorrect captcha to confirm the error message, then submitted the correct captcha while providing a wrong username/password. The server accepted the request, showing that the captcha validation was bypassed once the verifyId matched the previously generated image. Replaying the same request more than ten times without a captcha error confirmed successful captcha reuse.
Case 2: Link‑Generated Captcha Without VerifyId Binding
In this scenario the captcha image can be opened via a right‑click "new link" action, which creates a fresh URL without a verifyId. The original login form rejects the displayed captcha, forcing the tester to use the captcha from the newly generated link. Capturing the request showed that the same captcha could be reused repeatedly; deleting the link invalidated the first captcha but a second generated link worked equally well. Using the second link’s captcha also achieved reuse.
Case 3: UUID‑Bound Captcha Reuse
This vulnerability differs by binding the captcha to a uuid parameter. The right‑click generated link omits the uuid, but the tester captured the UUID from a legitimate login request. By appending the captured UUID to the captcha API URL, the captcha could be validated successfully. Replaying the modified request ten times confirmed that the captcha was reusable without needing a new UUID each time.
Case 4: Resource‑Consumption via Height/Width Parameters
The final case is not a captcha reuse issue but a denial‑of‑service style flaw. The login endpoint accepts height and width query parameters for the captcha image. By setting these parameters to very large values, the server returns an oversized image, inflating response size. Monitoring the response byte count shows that the server can be forced to transmit excessively large payloads, enabling a low‑bandwidth amplification attack.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
