In-Session CAPTCHA Brute-forcing
Variants:
Direct
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Session Management, Anti-Automation, Secure Design
Invented In:
28/02/2012
Added In:
19/12/2014
Vector Operation Method:
Bypass an improper implementation of a CAPTCHA in which the client-side can ignore instructions or redirects to a new CAPTCHA generation service after failing to answer a CAPTCHA, and thus can brute force a single CAPTCHA value instead of having only one-shot at guessing a random CAPTCHA.
