Captcha Reuse Vulnerabilities: Real-World Exploits and Bypass Techniques

The article presents four practical case studies of captcha-related weaknesses—two showing how verifyId or UUID reuse lets attackers bypass image verification, one demonstrating a UUID‑bound bypass, and a fourth exposing a resource‑consumption flaw via manipulable height and width parameters.

Black & White Path
Black & White Path
Black & White Path
Captcha Reuse Vulnerabilities: Real-World Exploits and Bypass Techniques

Introduction

During penetration testing of a government system that disallowed credential sharing and passive scanning, the author focused on graphical captchas as a common defense against brute‑force attacks. By examining how captcha identifiers are handled, several reuse vulnerabilities were discovered.

Case 1: VerifyId Reuse

The login page includes a verifyId field tied to the captcha image. Removing this field causes a server error, indicating its importance. The tester captured a login request, submitted an incorrect captcha to confirm the error message, then submitted the correct captcha while providing a wrong username/password. The server accepted the request, showing that the captcha validation was bypassed once the verifyId matched the previously generated image. Replaying the same request more than ten times without a captcha error confirmed successful captcha reuse.

Login page with verifyId
Login page with verifyId

Case 2: Link‑Generated Captcha Without VerifyId Binding

In this scenario the captcha image can be opened via a right‑click "new link" action, which creates a fresh URL without a verifyId. The original login form rejects the displayed captcha, forcing the tester to use the captcha from the newly generated link. Capturing the request showed that the same captcha could be reused repeatedly; deleting the link invalidated the first captcha but a second generated link worked equally well. Using the second link’s captcha also achieved reuse.

New link captcha
New link captcha

Case 3: UUID‑Bound Captcha Reuse

This vulnerability differs by binding the captcha to a uuid parameter. The right‑click generated link omits the uuid, but the tester captured the UUID from a legitimate login request. By appending the captured UUID to the captcha API URL, the captcha could be validated successfully. Replaying the modified request ten times confirmed that the captcha was reusable without needing a new UUID each time.

UUID capture
UUID capture

Case 4: Resource‑Consumption via Height/Width Parameters

The final case is not a captcha reuse issue but a denial‑of‑service style flaw. The login endpoint accepts height and width query parameters for the captcha image. By setting these parameters to very large values, the server returns an oversized image, inflating response size. Monitoring the response byte count shows that the server can be forced to transmit excessively large payloads, enabling a low‑bandwidth amplification attack.

Height/width manipulation
Height/width manipulation
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

security testingcaptchaVulnerabilityreplay attackresource consumption
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.