Replaying request with same captcha
The server fails to enforce captcha expiration, allowing users to submit multiple requests using the same captcha value without time restrictions.
Lack of Resources & Rate Limiting (RL)
How this template works
The template includes filters to select API requests based on specific criteria. In this case, it filters requests based on the response code being between 200 and 300, or if the request payload or query parameter contains the word "captcha".
The template specifies a single request to be executed. It adds a custom header to the request, specifically the "x-akto-ignore" header with a value of "0".
The template defines validation criteria for the response. It checks that the response code is between 200 and 300, the percentage match of the response payload is greater than 80%, and the length of the response is greater than 0.
Frequently asked questions
What is the impact of bypassing CAPTCHA protection in this scenario
How does the server fail to enforce captcha expiration in this test
What are the potential consequences of successful replaying of captchas
What category and subcategory does this vulnerability fall under
What are some tags associated with this vulnerability
Can you provide a reference for further information on this vulnerability