Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-804:Guessable CAPTCHA
Weakness ID:804
Version:v4.17
Weakness Name:Guessable CAPTCHA
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

▼Extended Description

An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks.

There can be several different causes of a guessable CAPTCHA:

  • An audio or visual image that does not have sufficient distortion from the unobfuscated source image.
  • A question is generated with a format that can be automatically recognized, such as a math question.
  • A question for which the number of possible answers is limited, such as birth years or favorite sports teams.
  • A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular entertainers.
  • Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA.
▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC863Incorrect Authorization
ChildOfAllowed-with-ReviewC1390Weak Authentication
ParentOfDiscouragedC330Use of Insufficiently Random Values
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 863
Name: Incorrect Authorization
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 1390
Name: Weak Authentication
Nature: ParentOf
Mapping: Discouraged
Type: Class
ID: 330
Name: Use of Insufficiently Random Values
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC8082010 Top 25 - Weaknesses On the Cusp
MemberOfProhibitedC1211Authentication Errors
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 808
Name: 2010 Top 25 - Weaknesses On the Cusp
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1211
Name: Authentication Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-270Weaknesses in Web Server
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-312Other (impact)
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-270
Name: Weaknesses in Web Server
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-312
Name: Other (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
▼Relevant To View
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC1211Authentication Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1211
Name: Authentication Errors
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlOtherN/ABypass Protection MechanismOther

When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.

Scope: Access Control, Other
Likelihood: N/A
Impact: Bypass Protection Mechanism, Other
Note:

When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.

▼Potential Mitigations
▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
Technology
Class: Web Server(Sometimes Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2022-4036
Chain: appointment booking app uses a weak hash (CWE-328) for generating a CAPTCHA, making it guessable (CWE-804)
Reference: CVE-2022-4036
Description:
Chain: appointment booking app uses a weak hash (CWE-328) for generating a CAPTCHA, making it guessable (CWE-804)
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Primary
      N/A
      Ordinality: Primary
      Description:
      N/A
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      WASC21N/AInsufficient Anti-Automation
      Taxonomy Name: WASC
      Entry ID: 21
      Fit: N/A
      Entry Name: Insufficient Anti-Automation
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-731
      Title: Insufficient Anti-automation
      Author: Web Application Security Consortium
      Section:
      Publication:
      Publisher:
      Edition:
      URL:http://projects.webappsec.org/Insufficient+Anti-automation
      URL Date:
      Day:N/A
      Month:N/A
      Year:N/A
      Details not found