This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OAT-009 CAPTCHA Defeat
This is an automated threat. To view all automated threats, please see the Automated Threat Category page. The OWASP Automated Threat Handbook - Wed Applications (pdf, print), an output of the OWASP Automated Threats to Web Applications Project, provides a fuller guide to each threat, detection methods and countermeasures. The threat identification chart helps to correctly identify the automated threat.
Definition
OWASP Automated Threat (OAT) Identity Number
OAT-009
Threat Event Name
CAPTCHA Defeat
Summary Defining Characteristics
Solve anti-automation tests.
Indicative Diagram
Description
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyse and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. Apart from conventional visual and aural CAPTCHA, puzzle solving mini games or arithmetical exercises are sometimes used. Some of these may include context-specific challenges.
The process that determines the answer may utilise tools to perform optical character recognition, or matching against a prepared database of pre-generated images, or using other machine reading, or human farms.
Other Names and Examples
Breaking CAPTCHA; CAPTCHA breaker; CAPTCHA breaking; CAPTCHA bypass; CAPTCHA decoding; CAPTCHA solver; CAPTCHA solving; Puzzle solving
See Also
Cross-References
CAPEC Category / Attack Pattern IDs
- -
CWE Base / Class / Variant IDs
- 804 Guessable CAPTCHA
- 841 Improper Enforcement of Behavioral Workflow
WASC Threat IDs
- 21 Insufficient Anti-Automation
- 42 Abuse of Functionality
OWASP Attack Category / Attack IDs
- -
