The full form of CAPTCHA is - "Completely Automated Public Turing test to tell Computers and Humans Apart".
A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.
Captchas are not brakeable but there are some third party captchas that can be breakable and one of the example for it is "jQuery Real Person" captcha.
It is possible to bypass the captcha on the JQuery-Real-Person plugin to perform a brute force attack.
There is associated parameter with each image, to checkout the characters introduced by the user. But there is not a good chek to assure that the
characteres introduced are the characters shown on the picture.
Therefore we can just choose a pair of parameter and characters and use them in all the request to the web server.
The name of the parameter that determinate the captcha image is "value".
Example: The captcha image shown in the example is JYYBME and we use "Inspect Element" on Google Chorme or Firebug on Firefox to search this
line in the code:
<input type="hidden" class="realperson-hash" name="defaultRealHash" *
value="-1158072107"*>
In this case we already know a valid pair of parameter and characters that we can use to perform a brute force attack bypassing the captcha restriction.
JYYBME ----> *-1158072107*
We can generate as many valid pairs as we want but only one is necessary to perform the brute force attack.
It does not matters that the captcha does not show the characters that we type because the check is done through the value parameter so we just need to type one valid pair of parameter and characters.
The below example illustrates how to break captcha with jQuery Real Person plugin.
import org.openqa.selenium.By;
import org.openqa.selenium.JavascriptExecutor;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.firefox.FirefoxDriver;
public class Sample {
static WebDriver driver;
public static void main(String args[]){
try{
driver = new FirefoxDriver();
//Loading jQuery Real Person Captcha demonstration page
driver.get("http://keith-wood.name/realPerson.html");
Thread.sleep(2000);
JavascriptExecutor js = (JavascriptExecutor) driver;
//Setting the captcha values
js.executeScript("document.getElementsByName('defaultRealHash')[0].setAttribute('value', '-897204064')");
driver.findElement(By.name("defaultReal")).sendKeys("QNXCUL");
//Submit the form
driver.findElement(By.xpath(".//*[@id='default']/form/p[2]/input")).submit();
}
catch(Exception e){
//gulp the exception
}
}
}
Below are some of the workarounds that we can do to handle captchas in testing scenarios:
A CAPTCHA is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot.
Captchas are not brakeable but there are some third party captchas that can be breakable and one of the example for it is "jQuery Real Person" captcha.
It is possible to bypass the captcha on the JQuery-Real-Person plugin to perform a brute force attack.
There is associated parameter with each image, to checkout the characters introduced by the user. But there is not a good chek to assure that the
characteres introduced are the characters shown on the picture.
Therefore we can just choose a pair of parameter and characters and use them in all the request to the web server.
The name of the parameter that determinate the captcha image is "value".
Example: The captcha image shown in the example is JYYBME and we use "Inspect Element" on Google Chorme or Firebug on Firefox to search this
line in the code:
<input type="hidden" class="realperson-hash" name="defaultRealHash" *
value="-1158072107"*>
In this case we already know a valid pair of parameter and characters that we can use to perform a brute force attack bypassing the captcha restriction.
JYYBME ----> *-1158072107*
We can generate as many valid pairs as we want but only one is necessary to perform the brute force attack.
It does not matters that the captcha does not show the characters that we type because the check is done through the value parameter so we just need to type one valid pair of parameter and characters.
The below example illustrates how to break captcha with jQuery Real Person plugin.
import org.openqa.selenium.By;
import org.openqa.selenium.JavascriptExecutor;
import org.openqa.selenium.WebDriver;
import org.openqa.selenium.firefox.FirefoxDriver;
public class Sample {
static WebDriver driver;
public static void main(String args[]){
try{
driver = new FirefoxDriver();
//Loading jQuery Real Person Captcha demonstration page
driver.get("http://keith-wood.name/realPerson.html");
Thread.sleep(2000);
JavascriptExecutor js = (JavascriptExecutor) driver;
//Setting the captcha values
js.executeScript("document.getElementsByName('defaultRealHash')[0].setAttribute('value', '-897204064')");
driver.findElement(By.name("defaultReal")).sendKeys("QNXCUL");
//Submit the form
driver.findElement(By.xpath(".//*[@id='default']/form/p[2]/input")).submit();
}
catch(Exception e){
//gulp the exception
}
}
}
Below are some of the workarounds that we can do to handle captchas in testing scenarios:
- Captcha is build to avoid automation. But if this is some kind of blocking your testing in QA environment then there is a way to do it. Developers are generating captcha code and display as image. This generated captch code might be stored somewhere in database. Ask your developer the db detail of for storing captcha code and get the code from there and validate on the front.
- You can ask your development team set a default password/captcha Which you can use to automate in order to check if the flow works fine.Beaware that it is not going to be a test to test Captcha works as such but to check if the flow/scenario that includes captcha pre & pro works accurate.
No comments:
Post a Comment