Captcha bypass for the most important Function (got 2 Digit Bounty for this)
Description:
The XYZ Brand Site includes a feature that allows business users to request the use of XYZ Assets.
To make a new request, go to https://xyz.com/requests/new. On the last page, there is a CAPTCHA implementation to ensure that only legitimate users request this.
However, there is a way to get around this CAPTCHA implementation.
Let’s Try to understand how I am able to find Vulnerabilities & able to bypass the captcha…….
1. Make a new request by entering the correct captcha value.
2. Use a proxy tool to intercept the request.
3. The request will look something like this:
POST /wp-json/brc/v1/approval-requests HTTP/1.1
Host: en.xyz.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-WP-Nonce: 6e74d4f6be Content-Type: application/x-www-form-urlencoded Referer: https://en.xyz.com/requests/new/3 Content-Length: 692 Cookie: <the cookies here> Connection: keep-alive
campaign-name=fdsfs&description=sdfsfsfsdfs&client=fasdfsdf&from-date=2017%2F01%2F31&to-date=2017%2F02%2F15&audience-reach=1%20-%2010%2C000&media-value=%2425%2C000%20-%20%24100%2C000&assets=11532%2C11534%2C11536&sizes=34&files=1486898411715-myjs.html&g-recaptcha-response=03AHJ_VuvtbNaOXuvMLpGNZ1r1sE8LRcGksdd_reTh3zIyz6vXE58GA_DMZfjMMLlm0gyc7qr4t5wV9YOE-CRw94WhnJn9DlIJmm2Ine1dRpiQt1x5D2-8DPgOHYxqzgYjp1bRHw2JdDDZlbfDklE0ikQlfnX6yvmX0XvQRAvUwVdoH_UZtVIrq9JolD_IfTRD9_nF2IQ7ibDU1B9dojCVuB9HQGQLmnSgQsHAP2NWg_PWJ6RsrgVEgbcke2qyNYpGTRVuU3WjyGDc53v7YwvGe2WhLU_jHFGDl-TSGD2rIZEJOJ4e6XozIKL0DGSilxXxAxG0saERnEEoKGO-05Fs9maB47ZxhhdoNnzMLNrRt8bK6rRYDO9UnxJ_2M-i9J0M34x9KI44cjm9E0aTM00VYuniBaKFkezqHg
4. Change the method from POST to PUT and submit the request again.
5. Modified request will be as follows:
6. Repeat the request any number of times and observe that every time instead of checking for a new captcha value, the old value or ANY VALUE from the captcha is accepted.
Key Observation:
when you check recaptcha response value by sending a request regularly it changes every time but in our case, if we change the method from post → put and then input method if we change Recaptcha response = 1 Still it gives us a Success message as Above Screenshot.
Impact: The security function of the captcha has served no use at all. An evil user can make an endless number of requests. Additionally, the email is continuously forwarded to that user. This will put extra work on the people who review these requests. Additionally, if a malicious user forges an email, the real owner of that account will get a barrage of emails from the XYZ website.
Note: I did not send this request to the intruder, otherwise the admin’s dashboard would be flooded. But I am sure there is absolutely no rate limitation cause the captcha is broken.
Solution: There is a logical flaw in captcha implementation. Make sure that every request is checked for the correct captcha and is then processed.
Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs. To encourage me to write more, follow me on medium and click the clap icon.
Read the section below if you’re curious about why it can be bypassed(I asked the developer about this); else, the bypassing method is over.
Developer Response:
This particular problem was caused by the code in charge of checking the ReCaptcha response incorrectly handling the API request to Google. It sent an API request to Google to validate the ReCaptcha value, but it looked for error code responses (non-200) as a sign of failure — every 200 response was considered a success and valid ReCaptcha. That is incorrect because Google always returns a 200 as a response, even when the code is invalid. To determine if the code was valid, examine the response body rather than the status code.
Thank you for Reading