Bypass captcha based protection by adding headers
Attackers can circumvent captcha protection by adding headers like x-forwarded-for, compromising the system's security.
Lack of Resources & Rate Limiting (RL)
Business Logic
How this template works
APIs Selection
The template uses API selection filters to specify the criteria for selecting the API requests to be executed. It filters requests based on the response code being between 200 and 300, or if the request payload or query parameter contains the word "captcha" and extracts the value of the "captcha_key" parameter.
Execute request
The template defines a single request to be executed. It includes deleting the "captcha_key" from both the request body and query parameters, and adding a header "x-forwarded-for" with the value "127.0.0.1". This is done to bypass captcha protection by manipulating headers.
Validation
After executing the request, the template validates the response. It checks that the response code is between 200 and 300, the percentage match of the response payload is greater than 80%, and the length of the response is greater than 0. These validation criteria ensure that the request was successful and the response contains the expected data.
Frequently asked questions
What is the purpose of the "Bypass captcha based protection by adding headers" test
How can attackers manipulate headers to bypass captcha protection
What are the potential consequences of bypassing captcha protection
What category and severity level does the "Bypass captcha based protection by adding headers" fall under
Are there any references or resources available for further information on this vulnerability
What are the specific API selection filters and execution steps involved in this test
"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Security team,
Rippling