This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Testing for Captcha (OWASP-AT-012)

Revision as of 23:58, 17 November 2013 by Wilder (talk | contribs) (WARNING: CAPTCHA is considered to be an ineffective security mechanism - see below!)

Jump to: navigation, search
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: Back to the OWASP Testing Guide Project:

WARNING: Captcha protection is considered to be an ineffective security mechanism!

Most current used Captcha images can be cracked easily in a fully automated way using many commercial or opensource services. These services are really cheap and provide a simple API for most programming languages.
It is not recommended to use Captcha protection for security-critical applications, in this case it is more suitable to use SMS text messages or OTP tokens instead. Therefore Captcha protection can be used against simple attacks only.

Brief Summary

CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer.

Description of the Issue Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Topic X vulnerabilities:
Result Expected: