Testing for Captcha (OWASP-AT-012)
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
WARNING: Captcha protection is considered to be an ineffective security mechanism!
Most current used Captcha images can be cracked easily in a fully automated way using many commercial or opensource services. These services are really cheap and provide a simple API for most programming languages.
It is not recommended to use Captcha protection for security-critical applications, in this case it is more suitable to use SMS text messages or OTP tokens instead. Therefore Captcha protection can be used against simple attacks only.
CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer.
Description of the Issue
...here: Short Description of the Issue: Topic and Explanation
Black Box testing and example
Testing for Topic X vulnerabilities: