Testing for Captcha (OWASP-AT-008)

Brief Summary
Captcha ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. Captcha implementations are often vulnerable to various kinds of attacks even if the generated captcha is unbreakable. This section will help you to identify these kinds of attacks and propose possible solutions.

Description of the Issue
"home-made" algorithm) and this value is sent by client as a hidden field    (yeah, it's unbelievable but some web applications really do it in this way). Often this can be easily decrypted by observing of multiple captcha values.   vulnerable to replay attacks (attacker simply send old values of encrypted decoded captcha value and decoded value of this captcha)                     by reusing the session id of a known captcha it is possible to bypass         captcha protected page                                                        broken captchas (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/, http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)
 * decoded captcha is encrypted (usually by some "security-by-obscurity"
 * even if it is difficult to decrypt decoded captcha value, many captchas are
 * many captchas don't destroy the session when the correct phrase is entered -
 * many captchas can be identified as weak by simple comparison with already