How to bypass CAPTCHAs easily using Python and other methods
Internet service providers generally face the risk of authentication-related attacks, spam, Denial-of-Service attacks, and data mining bots. Completely Automated Public Turing test, to tell Computers and Humans apart, popularly known as CAPTCHA, is a challenge-response test created to selectively restrict access to computer systems. As a type of Human Interaction Proof, or a human authentication mechanism, CAPTCHA generates challenges to identify users. In essence, a CAPTCHA test can tell machines/ computers and humans apart. This has caused a heightened adoption of CAPTCHAs across various online businesses and services.
The concept of CAPTCHA depends on human sensory and cognitive skills. These skills enable humans to read a distorted text image or choose specific images from several different images. Generally, computers and computer programs such as bots are not capable of interpreting a CAPTCHA as they generate distorted images with text or numbers, which most Optical Character Recognition (OCR) technologies fail to make sense of. However, with the help of Artificial Intelligence, algorithms are getting smarter and bots are now capable of cracking these tests. For instance, there are bots that are capable of solving a text CAPTCHA through letter segmentation mechanisms. That said, there aren’t a lot of automated CAPTCHA solving algorithms available.
This article outlines the various methods of generating and verifying CAPTCHAs, their application, and multiple ways to bypass CAPTCHAs.
Reasons for using CAPTCHA
Web developers deploy CAPTCHAs on websites to ensure that they are protected against bots. CAPTCHAs are generally used to prevent:
Bots from registering for services such as free email.
Scraper bots from gathering your credentials or personal information, upon logging in or while making online payments.
Bots from submitting online responses.
Brute-force bot attacks.
Search engine bots from indexing pages with personal/ sensitive information.
General flow of CAPTCHA generation and verification
The image below represents the common method of generating and verifying CAPTCHAs:
Application of different types of CAPTCHA and how to bypass them
I. reCAPTCHA and the protection of websites
Google reCAPTCHA is a free service offered to prevent spam and abuse of websites. It uses advanced risk analysis techniques and allows only valid users to proceed.
Process flow diagram of Google reCAPTCHA
How to bypass reCAPTCHA?
Verification using browser extensions
Browser extensions such as Buster help solve CAPTCHA verification challenges. Buster, for instance, uses speech recognition software to bypass reCAPTCHA audio challenges. reCAPTCHA allows users to download audio files. Once it is downloaded, Google’s own Speech Recognition API can be used to solve the audio challenge.
CAPTCHA solving services
Online CAPTCHA solving services offer human based services. Such services involve actual human beings hired to solve CAPTCHAs.
II. Real person CAPTCHA and automated form submissions
The jQuery real person CAPTCHA plugin prevents automated form submissions by bots. These plugins offer text-based CAPTCHAs in a dotted font. This solves the problem of fake form submissions.
How to bypass real person CAPTCHA?
The following steps can be used to solve real person CAPTCHAs:
A. Create data set
In this one-time process:
Collect texts from real person HTML tags
Group the texts based on the words
Create data set model for A-Z words (training data)
B. Testing to predict the solutions
After successfully completing process A, set up a process to:
Fetch the word from the data set model created in process A.
Example:
from selenium import webdriver
import time
dataset = {‘ * * * * * ******* ‘: ‘J’,
‘******* * * * * * *’: ‘L’,
‘******** * ** * ** * ** * ** * * ** ** ‘: ‘B’,
‘* * * **** * * * ‘: ‘Y’,
‘* * * ******** * * ‘: ‘T’,
‘ ***** * ** ** ** ** * * * ‘: ‘C’,
‘******** * ** * ** * ** ** ** *’: ‘E’,
‘******** ** ** ** ** * ***** ‘: ‘D’,
‘* ** ** ********* ** ** *’: ‘I’,
‘ ***** * ** ** ** ** * ***** ‘: ‘O’,
‘******* * * * * * *******’: ‘M’,
‘******* * * * * * *******’: ‘N’,
‘******** * * * * * * * * ‘: ‘F’,
‘ ** * * * ** * ** * ** * ** * * * ** ‘: ‘S’,
‘ ***** * ** ** ** * ** * **** *’: ‘Q’,
‘******* * * * * * * * * * * *’: ‘K’,
‘ ** ** ** * * * ** * ** **’: ‘A’,
‘****** * * * * ******* ‘: ‘U’,
‘******* * * * * * *******’: ‘H’,
‘** ** ** * ** ** ** ‘: ‘V’,
‘* ** *** * ** * ** * *** ** *’: ‘Z’,
‘******** * * * * * * * * * ** ‘: ‘P’,
‘* * * * * * * * * * * * *’: ‘X’,
‘ ***** * ** ** ** * ** * * * ** ‘: ‘G’,
‘******** * * * * * * ** * * * ** *’: ‘R’,
‘******* * * * * * *******’: ‘W’}
def group_captcha_string(word_pos):
captcha_string = ”
for i in range(len(word_pos[0])):
temp_list = []
temp_string = ”
for j in range(len(word_pos)):
val = word_pos[j][i]
temp_string += val
if ():
(val)
if temp_list:
captcha_string += temp_string
else:
captcha_string += ‘sp’
return (“spsp”)
# create client
client = ()
(“)
(3)
# indexing text
_get = lambda _in: {index: val for index, val in enumerate(_in)}
# get text from html tag
captcha = nd_element_by_css_selector(‘form [class=”realperson-text”]’)(‘\n’)
word_pos = list(map(_get, captcha))
# group text
text = group_captcha_string(word_pos)
# get text(test)
captcha_text = ”(list(map(lambda x: dataset[x] if x else ”, text)))
print(“captcha:”, captcha_text)
III. Text-in-image CAPTCHA
Text-based/ text-in-image CAPTCHAs are the most commonly deployed kind and they use distorted text rendered in an image. There are two types of text-based CAPTCHAs:
Simple CAPTCHA
Simple CAPTCHAs can be bypassed using the Optical Character Recognition (OCR) technology that recognizes the text inside images, such as scanned documents and photographs. This technology converts images containing written text into machine-readable text data.
import pytesseract
import sys
import argparse
try:
import Image
except ImportError:
from PIL import Image
from subprocess import check_output
def resolve(path):
print(“Resampling the Image”)
check_output([‘convert’, path, ‘-resample’, ‘600’, path])
return age_to_string((path))
if __name__==”__main__”:
argparser = gumentParser()
d_argument(‘path’, help = ‘Captcha file path’)
args = rse_args()
path =
print(‘Resolving Captcha’)
captcha_text = resolve(path)
print(‘Extracted Text’, captcha_text)
# command to run script
python3
Complicated CAPTCHA
These text-in-image CAPTCHAs are too complex to be solved using the OCR technology. Instead the following measures can be considered:
Build machine learning models such as Convolutional Neural Network (CNN) or Recurrent Neural Network (RNN)
Resort to CAPTCHA solving services
IV. Sum of integers or logical operations
This unique challenge involves solving mathematical problems, particularly, finding the sum of integers.
To bypass this challenge, one can:
Extract text from HTML tags or images
Identify the operator
Perform the logic
Get the result
V. Mitigating DDoS attacks using CAPTCHAs
In distributed denial-of-service attacks, cyber criminals target network resources and render them inaccessible to users. These attacks temporarily or indefinitely slows down the target resource by flooding the target with incoming traffic from several hosts. To prevent such attacks, businesses use CAPTCHAs.
The following methods or programs can be used to bypass DDoS protected sites:
JavaScript supported browsers (Chrome/ Firefox)
Deriving logic to generate DDoS answers
Fetch the DDoS problem on the site and execute it using
Senior Software Engineer
He is a Senior Software Engineer working as a part of the Data Acquisition team at CloudSEK. In his role, he is responsible for writing reusable codes and scalable web crawlers for XVigil. In his spare time, Sellamani loves to take on new challenges and find solutions to real-time problems.
Cyber Intelligence Editor,
CloudSEK
Total Posts: 2
She is a Cyber Intelligence Editor at CloudSEK. A lawyer by training and a content writer by choice, she prefers to write on matters concerning current affairs, security, and human frailty.
Supreme Adds CAPTCHA Online to Fight Bots | HYPEBEAST
Supreme just implemented CAPTCHA to its web shopping experience as of this morning for both UK and U. S. sites. If you’ve filled out forms to make purchases online before, you’ll know that CAPTCHA is a way for sites to know that you’re an actual “human” making the transaction. For those who may be unfamiliar with the actual purpose of the “Completely Automated Public Turing test to tell Computers and Humans Apart” system states that:
The technology is used mostly to block spammers and bots that try to automatically harvest email addresses or try to automatically sign up for or make use of Web sites, blogs or forums. CAPTCHA, whose users include Yahoo and Google, blocks automated systems, which can’t read the distorted letters in the graphic.
Now there’s still some controversy surrounding the effectiveness of CAPTCHA. As most consumers know, bots have been the main problem when it comes to scalpers getting their hands on tickets for events, concerts and plays. Some of the sites where these tickets are purchased from do have CAPTCHA, but some crafty individuals out there have figured out how to get around the system. Supreme could find the same issue happening to its site.
So what does this all mean for Supreme shoppers online? For one, it will hopefully stop, or at least hinder the use of many bot systems out there that automatically makes purchases for greedy users looking to grab copious amounts of ‘Preme products, especially on drop day. There are many bots out there for sale on the web, especially ones only specializing in Supreme — prices for them can go up to hundreds of dollars with some even implementing monthly and annual membership fees. Hopefully, with fingers crossed, CAPTCHA will allow most non bot-using consumers a better chance to purchase the products they want. Still, only if they’re fast enough.
Supreme’s online store is pretty bare right now with practically all the “hyped” items sold out. All of us will just have to wait until this Thursday, March 23 when the Supreme x Mike Hill collab drops to really see if there will be any changes now with the implementation of CAPTCHA.
5 alternatives to CAPTCHA that won’t baffle or frustrate users
We spend several hours every week conducting usability tests on a variety of different websites. In our research we often see people struggle with CAPTCHA, the anti-spam solution designed to differentiate between a human and a spambot. It’s easy to see why web teams adopt this tool to avoid spam – it is clearly an effective tool. However, they are probably not aware of how frustrating users find it! We regularly hear users say things like “oh I hate these things”, “not this thing again”, “why are they making it difficult for me? ” In some cases we have seen users abandon a site altogether when faced with a CAPTCHA tool.
As a result of our observations we recommend that our clients remove the CAPTCHA tool from their site. In a recent client meeting we had a long discussion about the UX implications of anti-spam tools, and they challenged us to find a better alternative, that protected them from spam but didn’t frustrate users in the process. We accepted that challenge and thought we’d share the findings with our readers. In reverse order, we provide our top 5 CAPTCHA alternatives.
5. Gamification
Starting at number 5 is an alternative to CAPTCHA that still slows people down, but incorporates a bit of fun into the process. This approach typically asks users to drag and drop items to prove they are human.
An example of a game CAPTCHA
Making anti-spam into a game could allow the web team to complement the existing brand language. So for example a car brand could set up a game where users have to drag different car parts to build a car. Whilst we like the idea of turning spam prevention into a fun game, it still interrupts users from completing a simple task to submit a form. In some cases they can take some time to complete and in many contexts we would be concerned about how users would react to this tool. For example, we can’t imagine a financial analyst being too impressed with having to ‘plant a garden’ to access a financial report.
4. Simple questions
The next alternative would be to ask users to respond to a simple question. These questions are designed to differentiate humans from spambots. This is a popular alternative that we have seen work quite well, using either a simple maths question (see below) or a simple general knowledge question (i. e. “What colour is the sky? ”)
An example of a simple anti-spambot maths question
This CAPTCHA alternative is simple to implement, it’s effective, and it can allow companies to add humour or a brand voice to the trivia questions. However, this option should still be considered carefully to ensure accommodation is made for users of varying learning abilities and cultural backgrounds. As with many of these solutions, not all users will understand why they are being asked these questions and this can lead to frustration. A contextual help link to explain why they are being asked this, could alleviate the issue.
3. Slider
The slider tool uses the simple interaction of clicking on a button and sliding it from left to right to validate the user as human. The tool works because the task is easy for humans to complete while the tool remains invisible to spambots.
An example of a slider
This is a simple interaction that is likely to be familiar to iPhone or iPad users that need to ‘slide to unlock’ their device. With the example shown above, users might be led to believe that swiping the slider will submit the form, when in reality it just activates the button. A better option here would be to amend the instruction to ‘slide to activate the send button.
2. Checkbox
The check box option works by placing a check box or radio button on a form that users are asked to select or unselect before submission. Again, this is a simple interaction, and in the context of web forms, checkboxes are commonplace so users should be able to complete it quickly without too much thought.
An example of a checkbox anti-spam
The simplicity of this option means it rates highly on our list of CAPTCHA alternatives. Our only hesitation would be to make sure the terminology is easy for users to understand. ‘I’m not a spambot’ is likely to confuse users who don’t know what a spambot is. We would recommend ‘I am a human’ with a contextual help link (i. ‘Why am I being asked this? ’) next to the check box. Alternatively to eliminate any confusion to users, do not mention the fact it’s a spam detection tool and simply label ‘Select this box before pressing submit’.
1. Honeypot or time-based forms
The best alternative to a CAPTCHA tool is to completely remove the requirement for users to ‘prove they are human’. Two examples we found are the honeypot or time-based alternatives.
The honeypot solution works by placing a hidden field in a form that the spambot would see, but users wouldn’t. The idea is that spambots will recognise it as a normal field to complete and any forms with an entry will be flagged as spam.
Another technical alternative which is hidden from users is the time-based form. The idea behind this is to detect a spambot based on the time it takes to complete a form. Genuine users take a few moments to complete a form, whereas spambots complete forms instantly. Therefore any forms submitted too quickly would be identified as a bot. We can see this solution working quite well, as long as the time-frame set is practical for users to achieve.
Summary
There are a number of alternatives to CAPTCHA available. However, like any change to a website, it is important to consider the impact the tool will have on users before it is implemented. There are a number of technical considerations with these alternatives that we have not discussed here. We would therefore recommend any team considering CAPTCHA alternatives should consult with UX and technical consultants before making a decision. The best approach would be to narrow down the options and conduct user tests to select the best option.
Key Takeaways
Users hate using sites with CAPTCHA
Alternative solutions are available which are not as frustrating as CAPTCHA
The best solutions are those that don’t require users to prove they are not spambots
Are you using an alternative CAPTCHA solution? If so, get in touch for some tips on how you could test it with your users.
Frequently Asked Questions about how to bypass captcha on supreme
Can CAPTCHA be bypassed?
Simple CAPTCHAs can be bypassed using the Optical Character Recognition (OCR) technology that recognizes the text inside images, such as scanned documents and photographs. This technology converts images containing written text into machine-readable text data.
Does supreme need CAPTCHA?
Supreme just implemented CAPTCHA to its web shopping experience as of this morning for both UK and U.S. sites. If you’ve filled out forms to make purchases online before, you’ll know that CAPTCHA is a way for sites to know that you’re an actual “human” making the transaction.Mar 21, 2017
How do I opt out of CAPTCHA?
There’s no way to opt out of reCAPTCHA on a site you need to use, forcing you to either accept being tracked or stop using a given service altogether. If you don’t like those full-body scanners at airports, you can at least still opt out and get a manual pat-down.