Dynamic token with captcha

Greetings fellows,

Most of the time an authentication token is required for testing some vulnerability on a ToE, and usually it can be supplied in plain-text or by a response of a request with the credentials.

And here is the problem:

  • an application changes the auth-token making plain-text method non-viable
  • the request for authentication needs a captcha verification

How do I get the token dynamically?

  • this problem can be spread widely as customers begin to implement captcha on their login systems, making the asserts not work well.

It depends on the captcha, however I’ll give some ideas below:

  • No captcha and no dynamic token:

Easy one, just stamp the token in the exploit (What you call plain-text method) (consider reporting this as at least one type of vulnerability)

  • No captcha and dynamic token:

Read response of a request with credentials (Your second method)

  • Captcha and the captcha is rate-based type (it usually does not interfere and is not visible unless you start requesting too often)

Develop the exploit normally but add a time.sleep between requests to be soft with the captcha system and not to hit the rate limit

  • Capctha and the captcha always is present but is click-me type:

Use selenium to press the button, add time.sleep to avoid human challenges to appear

  • Capcha and the captcha is letter-based:

Use an OCR (like https://pypi.org/project/pytesseract/) or a computer vision library

  • Captcha is letter-based but not parseable with an OCR but outcomes are finite

We’ll have to ask the customer for the finite possibilities of answer and use them in our exploit according to the digest of the captcha image

  • Captcha is too hard to automatize

In this case we’ll have to ask the customer to temporarily disable the captcha during the Asserts testing phase (dev environments), and add another exploit to test that the captcha is actually implemented in production environments