Captchas are usually used to prevent robots to make an action instead of humans. It should add an extra layer of security but badly configured it could lead to unauthorized access…
When you try to submit the form without providing a captcha code, you get the following error:
Try to submit an empty password and take a look to the HTTP request and her parameters, you can notice the strange variable
This variable is the step in the change password functionnality.
So if you simply change it to
2 and replay the request with this new value, it works perfectly.
In this level another step has been added. After submitting your new password and the good captcha you’ll have to confirm your wish by submitting another form:
Again, if you check the parameters of this second request, you can notice a new field called
passed_captcha set to
Now if you merge the both requests and apply the same method viewed in the first level, you are able to change your password within only one request:
As usual the highest level is well configured and cannot be bypassed.
The check is done within only one step by calling the method
Plus note how the SQL query is protected from injection with