Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Unveiling the CAPTCHA Escape: The Dance of CAPTCHA Evasion Using TOR

In this era, threat actors have proven to be tireless in their pursuit of exploiting vulnerabilities and gaining unauthorized access to online platforms using anything from simple to sophisticated attacks. Today, we delve into shedding light on how attackers employ methods to bypass one of the most common defenses against automated attacks. Particularly on using TOR networks to evade or bypass CAPTCHA.

 

CAPTCHA

 

Captcha_Escape_pic1

Figure 1. Some examples of CAPTCHA and verification challenges

 

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), is a well-known security control we often see to protect applications from automated attacks. It presents challenges to users visiting a website to ensure they are human and not automated scripts or bots. The most common challenge is the "I'm not a robot" checkbox or a CAPTCHA challenge that requires users to solve puzzles, identify objects in images, or perform other tasks that are difficult for automated scripts to complete.

 

Cloudflare

 

Captcha_Escape_pic2

Figure 2. Simple illustration of the Cloudflare model

 

Cloudflare provides a wide range of website security and performance services, primarily focused on optimizing websites, mobile applications, and other online services against online attacks. Another great thing about Cloudflare is it acts as a reverse proxy and content delivery network (CDN) for online applications. It also conceals the source addresses of the origin server, providing an additional layer of security that hides the actual server's IP address from potential threat actors. There are also various security features, including DDoS protection, a web application firewall (WAF), and bot mitigation, to name a few.

 

By implementing Cloudflare CAPTCHA, website owners can reduce the risk of spam submissions, brute force attacks, and other malicious activities that can disrupt their online services. It helps maintain the integrity and security of websites by verifying the authenticity of incoming traffic.

 

TOR

 

Captcha_Escape_pic3

Figure 3. Illustration of a user browsing website over Tor

 

TOR, short for 'The Onion Router,' is a free and open-source software project initially developed by the U.S. Navy for online privacy and anonymity. It achieves this by routing Internet traffic through a network of volunteer-operated servers referred to as 'nodes' or 'relays'. It is worth noting that TOR is also used for accessing the dark web, a portion of the Internet that is not indexed by traditional search engines and may host websites and services associated with various activities, including those of a questionable or illegal nature.

 

Evasion/Bypass

 

While doing a bit of research, I discovered how to evade or bypass Cloudflare’s CAPTCHA challenge. 

 

Upon investigating an application, I saw that the CAPTCHA was missing for the login and registration pages, but as it turned out, CAPTCHA was lurking ahead.

Captcha_Escape_pic4

Figure 4. The application login page without CAPTCHA implemented

 

Captcha_Escape_pic5

Figure 5. The application registration page without CAPTCHA implemented

 

I signed up for test accounts on the target app without any issues using my email aliases. Shortly afterwards, I found there were no validation or verification mechanism links sent via email. Since the registered account was usable without verification, it follows that any non-registered email or invalid (non-existing) email can be used for registration. This security control gap could pose a serious threat if chained to other issues like missing or weak CAPTCHA, username enumeration, no account lockout, no rate-limiting, etc. So, I decided to create a POC to demonstrate the impact of this security flaw.

Captcha_Escape_pic6

Figure 6. Landing page after successful registration

 

I thought this would be a straightforward process. However, I recalled from the reconnaissance results that the application uses Cloudflare, and as a Cloudflare user myself, I thought there should be some mildly amusing security controls in play.

Captcha_Escape_pic7

Figure 7. Initial automated registration PoC showing that requests were redirected to /challenge (CAPTCHA challenge) page

 

I tried automating registration and was not surprised with the result. I tried again using various tweaks, including variations in delays and threads, hoping that those would suffice. But still, no luck.

Captcha_Escape_pic8

Figure 8. Example application response with CAPTCHA challenge

 

Captcha_Escape_GIF

Macros could be useful, but I wanted a fully automated demonstration. Hopping in and out of the application using our source addresses, I was again able to register accounts.

 

To get a better grasp of what we’re up against, I logged in to my Cloudflare account to browse and see the available configurations, etc.

Captcha_Escape_pic9

Figure 9. CAPTCHA customization for application page(s)

 

Captcha_Escape_pic10

Figure 10. CAPTCHA customization preview

 

I found out that Cloudflare has challenge page customization for non-free subscriptions. Below are the customizable challenge inclusions:

  • cf-error:1000s
  • block:ip-ban
  • block:rate-limit
  • block:client-auth
  • block:basic-sec-captcha
  • block:country-captcha
  • block:adv-sec-captcha
  • block:waf
  • block:iuam-basic
  • cf-error:500s
  • always-online:no-copy
  • phishing:warn
  • regulation:block

 

So, at this point, we know that Cloudflare is intervening with automated requests with IP-based limiting. I also found that Cloudflare allows connections from TOR users by default. Then I remembered this one simple piece of script I created for a research project.

 

PoC

 

Captcha_Escape_pic11

Figure 11. Simplified illustration of the attack

 

The idea is quite simple. Use a different source address for every transaction using TOR. This is another technique used for brute-forcing OTP (one-time pin) or OTC (one-time code) and other two-factor authentications. This trick could also work for various injection attacks. One researcher previously published on using AWS to brute-force iTunes’ or iCloud’s OTPs for better control. Despite limitations, TOR is easily accessible and makes it easier for everyone to accomplish or simulate these kinds of attacks.

Captcha_Escape_pic12

Figure 12. Shows example script used.

 

As an option, we can use Nxt to monitor the circuit, events, logs, and get new IP addresses on-demand. In this instance, the code above would suffice for our purposes.

Captcha_Escape_pic13

Figure 13. Shows nxt monitoring view

 

Here we can see the script execution without HTTP 302 redirections to the CAPTCHA challenge page.

Captcha_Escape_pic14

Figure 14. automated registration of accounts using TOR

 

We know that we’ve succeeded because the registration notifications are in!

Captcha_escape_pic15

Figure 15. example notification emails received

 

In the demonstration above, the CAPTCHA implementation in Cloudflare’s challenge was not set to always require CAPTCHA but was dependent on the user's behavior. Using TOR, we have avoided it by hopping randomly through hundreds of available TOR exit nodes.

Captcha_Escape_GIF2

Anyhow, the solution is quite simple. One is to always require CAPTCHA for pages that can be exploited by unauthenticated users, like registration pages. Use a hard-coded CAPTCHA when possible, along with other security controls like CSRF tokens and rate-limiting.

 

Additionally, if we want to block TOR sources when using Cloudflare, there is a simple way to block all exit nodes being advertised on torproject.org. Cloudflare uses the “T1” code for Tor. So, we can create a rule to block it.

Captcha_Escape_pic16

Figure 16. number of available exit nodes from torproject.org

 

Captcha_Escape_pic17

Figure 17. shows example of creating a rule to block TOR source addresses

 

Captcha_Escape_pic18

Figure 18. Error being shown to users accessing after blocking

 

I want to highlight the importance of identity or account verification. Although it won’t always pose a high risk as is, allowing account registrations without proper verification could be troublesome.

 

We can also view this as a toned-down DoS attack. For example, if an attacker can register accounts (email) ahead of the actual owners, the owner of the email would need to take additional steps to recover their accounts, especially if the affected app does not have password reset functionality. The users would take additional steps, like contacting support, etc. In addition, insecure registration functionalities could aid any threat actors’ phishing campaigns, malware distribution, etc.

 

In another attack-chain use case, if a targeted application is vulnerable to other attack vectors such as cross-site scripting (XSS), the actor can register using the victim’s email or register accounts using dumped emails, etc., and add malicious payloads to the user-accessible areas, such as the account profile section. When the account owner initiates a password reset and gains control of the account, the payload will then execute in the victim’s context.

 

Proper implementation of CAPTCHA elevates the overall security of applications. Having properly implemented 2FAs, MFAs, and OTCs and account verifications should also be considered.

 

AI VS CAPTCHA

 

I remember when I first had a flatbed scanner back in the mid-2000s. It came with a CD containing driver software, an image scanning editor, and OCR software. I still remember the name “OmniPage.” OCR stands for "Optical Character Recognition." It is a long-existing technology that detects text in images. It is commonly used to convert scanned documents or images into digital text. I was so amazed and perplexed at the same time back then by how it functions. Today, we can use our phones to convert images to text and even translate them in real-time.

Captcha_Escape_pic19

Figure 19. Example of using OCR to solve arithmetic-based CAPTCHA using a script

 

Now, AI can be used to solve CAPTCHA challenges to some extent by using OCR and other complex algorithms. While traditional CAPTCHAs were initially designed to be difficult for automated scripts to solve, advancements in AI and machine learning have made it possible to develop algorithms and models that can recognize and solve certain types of CAPTCHAs with a high degree of accuracy and efficiency. There are companies offering CAPTCHA solving as a service using AI.

Captcha_Escape_pic20

Figure 20. Some examples of CAPTCHA challenges claimed to be solvable by AI

 

Conclusion

 

It is a fact that AI and Quantum computing have opened a new paradigm in cybersecurity, including automation against applications. Threat actors can abuse them in several ways. For example, they can be used to spam websites or services, disrupt user experiences, and perform brute-force attacks on login and registration forms. Automated CAPTCHA solving may also enable unauthorized data scraping, potentially violating terms of service and legal agreements. While there are legitimate uses for CAPTCHA-solving automation, it is essential to deploy it responsibly and within legal and ethical boundaries. As we explore the evolving role of CAPTCHA, MFAs/2FAs among other security controls, security engagements such as penetration testing and collective research propel improvements to secure applications and systems against the onslaught of automation.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo