This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software.

Most CAPTCHAs don't destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.

I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.

manual steps:
connect to captcha page
record session ID and captcha plaintext

automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;

name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually

the other user data can change on each request

you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text.

This is -easy- to fix, here's the vulnerable pseudocode:

if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then
process_form();
endif:

fixed psuedocode:

if form_submitted and captcha_stored!="" and
captcha_sent=captcha_stored then
captcha_stored="";
process_form();
endif:

- it's a one line fix!