General Information

In-Session CAPTCHA Brute-forcing

Variants:
Direct 

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Session Management, Anti-Automation, Secure Design

Invented In:
28/02/2012

Added In:
19/12/2014


Vector Operation Method:
Bypass an improper implementation of a CAPTCHA in which the client-side can ignore instructions or redirects to a new CAPTCHA generation service after failing to answer a CAPTCHA, and thus can brute force a single CAPTCHA value instead of having only one-shot at guessing a random CAPTCHA.


Direct Variant:

In-Session CAPTCHA Brute-forcing

Variant Title:
In-Session CAPTCHA Brute-forcing

Typical Severity:
Medium

Learn More: