OWASP Automated Threats - CAPTCHA Defeat (OAT-009)


In this OWASP Automated Threat Article we'll be highlighting OAT-009 CAPTCHA Defeat with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how CAPTCHA Defeat works with Automation Tools to allow attackers to accomplish their objectives despite the presence of CAPTCHA's intended purpose of preventing unwanted automation. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.

CAPTCHA Defeat Description:

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyse and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. Apart from conventional visual and aural CAPTCHA, puzzle solving mini games or arithmetical exercises are sometimes used. Some of these may include context-specific challenges.

The process that determines the answer may utilise tools to perform optical character recognition, or matching against a prepared database of pre-generated images, or using other machine reading, or human farms.

OWASP Automated Threat (OAT) Identity Number


Threat Event Name


Summary Defining Characteristics

Solve anti-automation tests.

OAT-009 Attack Demographics:

Sectors Targeted Parties Affected Data Commonly Misused Other Names and Examples Possible Symptoms
Education Application Owners Authentication Credentials Breaking CAPTCHA High CAPTCHA solving success rate on fraudulent accounts
Entertainment     CAPTCHA breaker Suspiciously fast or fixed CAPTCHA solving times
Financial     CAPTCHA breaking  
Government     CAPTCHA bypass  
Retail     CAPTCHA decoding  
Social Networking     CAPTCHA solver  
      CAPTCHA solving  
      Puzzle solving  

CAPTCHA Defeat Demo:

In this demo we will be showing how it’s possible to leverage real human click farms via CAPTCHA solving services like 2CAPTCHA to bypass reCAPTCHA. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.


In Conclusion:

CAPTCHAs are only a speed bump for motivated attackers while introducing considerable friction for legitimate customers. Today, we’re at a point where bots solve CAPTCHAs more quickly and easily than most humans. Check out our additional resource links below to learn more.


F5 Related Content

Updated Apr 23, 2024
Version 3.0

Was this article helpful?