logo

CWE-804 - Guessable CAPTCHA

CWE-804

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Incomplete
Weakness Name

Guessable CAPTCHA

Description

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks. There can be several different causes of a guessable CAPTCHA:

Common Consequences

Scope: Access Control, Other

Impact: Bypass Protection Mechanism, Other

Notes: When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.

Related Weaknesses
  • Release Date:
  • 2010-02-16
  • Latest Modification Date:
  • 2023-10-26

Free security scan for your website