Guessable CAPTCHA
This vulnerability occurs when a CAPTCHA challenge is too easy for automated bots to solve, either by guessing or using pattern recognition, allowing them to bypass the human verification step.
A guessable CAPTCHA defeats its core purpose by letting automated scripts mimic human users. Attackers can exploit this weakness to perform actions at an inhuman scale, such as mass account creation, comment spam, or credential stuffing attacks, overwhelming your system's defenses. Common design flaws that make CAPTCHAs vulnerable include using simple, undistorted images or audio; asking predictable questions with limited answers (like math problems or birth years); using trivia with answers available in public databases; or embedding hints in metadata, such as including the solution in an image's filename.
Impact: Bypass Protection MechanismOther
When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.
- WASC