Broken Auth CAPTCHA Bypassing Low Security Level
Broken Auth. - CAPTCHA Bypassing - Low Security Level
Solution:
*Note: I am using BurpSuite pre configured browser, in case if you are not using the pre configured browser then please configure the browser with proxy and then follow the below steps.
Step 1. Complete the Login, Password and Captcha fields and click on Login.
Step 2. Go to BurpSuite and right click on the mouse send the request to intruder page.
Step 3. Click on Positions and then click on clear button as shown in the video and change the attack type to cluster bomb.
Step 4. In Position tab select bug and click on add and select bee and click on add
Step 5. Click on Payloads - Select Payload set 1 and Payload type as Simple list; in Add text
add values - bee, admin, 1234 (For real life testing scenarios you can copy paste the list of your choice)
Now Slecet Payload set 2 and keep the Payload type as Simple list; in Add text add values - bug, test, password and anyother values of your choice. (Note, more values will take more time to execute the attack due to large number of combination testing).
Step 6. Click on options Go to Grep Match Click on the check box - Flag result items with responses matching these expressions. Click on clear and yes and add your comment here.
Match type - Simple String
Click on Exclude HTTP Headers
Step 7. Go to Positions and click on Start attack.
Step 8. Click ok, if BurpSuite gives a pop up.
Step 9. Click on length and check results for bee and bug.
Click on Response and search for word successful login
Click on Render and see the successful login page
PseudoTime
