Hacktricks-skills captcha-bypass
Techniques for bypassing captchas during authorized security testing and penetration testing. Use this skill whenever you're testing web applications and encounter captcha challenges that need to be automated or bypassed for testing purposes. This includes penetration testing, security assessments, and authorized vulnerability scanning. Don't use this for unauthorized access or malicious purposes.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/pentesting-web/captcha-bypass/SKILL.MDCaptcha Bypass Techniques
This skill provides techniques for bypassing captchas during authorized security testing. The goal is to streamline testing workflows, not to undermine security controls in production without authorization.
When to Use This Skill
Use this skill when:
- You're conducting authorized penetration testing on web applications
- You need to automate security testing workflows that encounter captchas
- You're building security testing tools that need to handle captcha challenges
- You're assessing captcha implementation strength in a controlled environment
Core Techniques
1. Parameter Manipulation
Try modifying how the captcha parameter is sent:
Omit the captcha parameter entirely:
# Remove captcha field from request curl -X POST https://target.com/login \ -d "username=test&password=secret"
Change HTTP method:
# Try GET instead of POST curl -X GET "https://target.com/login?username=test&password=secret"
Switch data format:
# Try JSON instead of form data curl -X POST https://target.com/login \ -H "Content-Type: application/json" \ -d '{"username":"test","password":"secret"}'
Send empty captcha value:
curl -X POST https://target.com/login \ -d "username=test&password=secret&captcha="
2. Value Extraction and Reuse
Search page source for captcha values:
curl -s https://target.com/login | grep -i captcha curl -s https://target.com/login | grep -oE '[a-zA-Z0-9]{8,}'
Check cookies for stored values:
curl -s -c cookies.txt -L https://target.com/login cat cookies.txt | grep -i captcha
Reuse previous successful values:
# Store and reuse captcha tokens export CAPTCHA_TOKEN="abc123xyz" curl -X POST https://target.com/login \ -d "username=test&password=secret&captcha=$CAPTCHA_TOKEN"
Test session reuse:
# Use same session across requests curl -c session.txt -b session.txt https://target.com/login
3. Mathematical Captcha Automation
For simple math captchas, automate the calculation:
# Extract and solve math captcha CAPTCHA_EXPR=$(curl -s https://target.com/captcha | grep -oE '[0-9]+\s*[+\-*/]\s*[0-9]+') CAPTCHA_ANSWER=$(echo "$CAPTCHA_EXPR" | bc) curl -X POST https://target.com/login \ -d "username=test&password=secret&captcha=$CAPTCHA_ANSWER"
4. Image Recognition
Count unique captcha images:
# Download and hash images to find patterns for i in {1..100}; do curl -s https://target.com/captcha.png -o captcha_$i.png md5sum captcha_$i.png done | sort | uniq -c | sort -rn
Use OCR for text extraction:
# Install tesseract first: apt install tesseract-ocr curl -s https://target.com/captcha.png -o captcha.png tesseract captcha.png stdout --psm 6
5. Rate Limit Testing
Check if rate limits can be bypassed:
# Test submission limits for i in {1..10}; do curl -s -o /dev/null -w "%{http_code} " https://target.com/login \ -d "username=test&password=secret&captcha=test" sleep 1 done echo
6. Header and Session Manipulation
Rotate User-Agents:
USER_AGENTS=( "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/91.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1" "Mozilla/5.0 (X11; Linux x86_64) Firefox/89.0" ) for ua in "${USER_AGENTS[@]}"; do curl -A "$ua" https://target.com/login done
Session rotation:
# Generate new session for each request curl -c /tmp/session_$$.txt -b /tmp/session_$$.txt https://target.com/login rm /tmp/session_$$.txt
7. Third-Party Services
For complex captchas (reCAPTCHA, Cloudflare, etc.), consider:
- CapSolver: AI-powered captcha solving API
- 2Captcha: Human-powered solving service
- Anti-Captcha: Another solving service option
Example API integration:
# CapSolver example (requires API key) curl -X POST https://api.capsolver.com \ -H "Content-Type: application/json" \ -d '{ "clientKey": "YOUR_API_KEY", "task": { "type": "ReCaptchaV2Task", "websiteURL": "https://target.com", "websiteKey": "6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI" } }'
Testing Workflow
- Document authorization - Ensure you have written permission
- Start with parameter manipulation - Easiest to implement
- Progress to automation - Math, OCR, or services
- Test rate limits - Understand constraints
- Document findings - Report bypass methods found
Output Format
When documenting captcha bypass findings, use this structure:
## Captcha Bypass Assessment ### Target - URL: [target URL] - Captcha Type: [reCAPTCHA v2/v3, image, math, etc.] ### Techniques Tested - [x] Parameter omission - [x] Empty value submission - [x] Session reuse - [ ] OCR automation - [ ] Third-party services ### Results - Bypassable: [Yes/No/Partial] - Method: [description of successful technique] - Risk Level: [Low/Medium/High] ### Recommendations - [specific remediation steps]
Important Notes
- Authorization Required: Only use these techniques on systems you own or have explicit permission to test
- Rate Limiting: Be respectful of target systems to avoid causing denial of service
- Documentation: Always document your testing scope and findings
- Legal Compliance: Ensure compliance with applicable laws and regulations
Common Captcha Types
| Type | Difficulty | Recommended Approach |
|---|---|---|
| Math | Low | Automate calculation |
| Text Image | Medium | OCR or hash analysis |
| reCAPTCHA v2 | High | Third-party service |
| reCAPTCHA v3 | High | Third-party service |
| Cloudflare | Very High | Specialized tools |
| hCaptcha | High | Third-party service |