OWASP Automated Threat (OAT– 009) CAPTCHA Defeat

CAPTCHA Defeat – solve anti-automation tests.

What is CAPTCHA Defeat?

Completely Automated Public Turing test to tell Computers and Human Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyze and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. Apart from conventional visual and aural CAPTCHA, puzzle solving mini-games or arithmetical exercises are sometimes used. Some of these may include context-specific challenges.

The process that determines the answer may utilize tools to perform optical character recognition or matching against a prepared database of pre-generated images, or using other machine reading or human farms.

CAPTCHA Defeat is also known by terms such as breaking CAPTCHA, CAPTCHA breaker, CAPTCHA breaking, CAPTCHA bypass, CAPTCHA decoding, CAPTCHA solver, CAPTCHA solving, puzzle solving.

The Symptoms of CAPTCHA Defeat

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of CAPTCHA Defeat. These include,

1. High CAPTCHA solving success rate on fraudulent accounts


2. Suspiciously fast or fixed CAPTCHA solving times

Sectors Targeted by CAPTCHA Defeat

Major sectors targeted by CAPTCHA defeat includes education, entertainment, financial, government, retail and social networking.

OWASP, a worldwide not-for-profit charitable organization focused on improving the security of software, says CAPTCHA Defeat includes solving anti-automation tests, it is performed by fraudsters using advanced bots.

Ways to Prevent CAPTCHA Defeat Security Threat

OWASP suggests several possible countermeasures to address the threat of CAPTCHA Defeat. These include,

1. Organizations can consider monitoring and limit the rate of card authorization attempts per session, user, IP address, device, and fingerprint. Due to this, automation attempts and malicious users are blocked as soon as they have reached a set number of failed attempts while testing different card numbers.


2. Identify and restrict automated usage by reputation methods. In particular, businesses can use geolocation and/or IP address block lists to prevent access to payment parts of the application.


3. Consider monitoring log CAPTCHA generation and solution speed and usage, monitor rate of use relative to typical usage to more advanced detection technologies.

All of the above proactive measures fight back against malicious users, without causing harm to the legitimate users. But some dedicated fraudsters will go beyond the lengths to straighten their CAPTCHA defeat effort.

Online businesses can also opt for a bot mitigation solution that prevents CAPTCHA Defeat and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

By having these security measures in place, your website will be able to defend against the online security threats such as CAPTCHA defeat and other OWASP automated threats in real-time.