By extending the Burp Suite and integrating it with a CAPTCHA solving farm you can enable the automated bypassing of CAPTCHA within all burp tools; seamlessly replacing all CAPTCHA with their correct solutions. This post will show how I've extended Burp and integrated it with the DeathByCaptcha API to solve reCAPTCHA.
Several services exist for decoding CAPTCHA, although DeathByCaptcha seems pretty good and from the initial tests I'm seeing a 99.7% accuracy rate (with reCAPTCHA at least) - The premise for most of these services is simple, upload your CAPTCHA to the API and poll for a response until it is solved by someone at the other end. DeathByCaptcha currently charges $13.90 per 10,000 solutions. The API is a simple REST interface and it normally takes only a few seconds to decode the image.
The concept
Burp Extender allows you to hook and modify all HTTP responses before they are used by any of the tools in the Burp Suite. The idea behind the Burp Extender extension I've written is to intercept all of the HTTP responses, examine them for the reCAPTCHA script and replace the input fields with the solution from DeathByCaptcha. This will effectively turn reCAPTCHA into a nonce or one-time-token which Burp 1.4 macros can easily handle in a similar way to CSRF tokens.
How it works
I've chosen reCAPTCHA as the target as its widely used it also has the advantage that the solution can be directly validated against Google servers so you can check that the solution is correct before you post it to the target domain. The general structure of my Burp Extension looks like this:
To summarize the above the main steps are:
- Extract the reCAPTCHA site key from the Intercepted Server Response these match the expression 6[A-Za-z\-_]{39}
- Use the site key to request the Iframe that contains a link to a CAPTCHA image.
- Extract the reCAPTCHA JPEG location and reCAPTCHA challenge field from the Iframe HTML source.
- Post the JPEG to DeathByCaptcha for solving.
- Post the solution to the Iframe location.
- Obtain the challenge response from the reply from the previous post and modify the initial HTTP Response to contain the challenge/response codes.
Compiling
To compile ensure you have the Java SDK installed and issue the following commands:
javac.exe BurpExtender.java jar.exe -cf BurpExtender.jar BurpExtender.class
This should generate a burpExtender.jar file in the working directory.
Running
The extension takes two command line arguments. The username and password for the DeathByCaptcha API (so if you want to run the extension you'll need to sign up to the service). To run the extension make sure the extension is located in the same directory as the Burp Suite and run:
java -Xmx512m -classpath "*" burp.StartBurp "myusername" "mypassword"
When you now browse through the Burp Proxy to sites such as http://www.google.com/recaptcha/learnmore you should see the reCAPTCHA replaced with a challenge and response input box. Generally the API can take anywhere from 5 to 20 seconds to translate the CAPTCHA, while this is happening the page will not load. Once its decoded the image you should see something similar to below:
The code isn't pretty - its been hacked together - its more proof of concept. There isn't a great deal of error handling and not being a Java Developer I may have used entirely the wrong methods in certain places.