Automation Strategies vs. Captcha Implementation

I was contacted recently by someone looking for assistance in automating a page that uses ReCaptcha. Since there are only two reasons for doing such a thing, application testing and SPAM, I offered the following information.

First off, the purpose of a captcha is to prevent bots/automation from being used to access an application. This means that if you can successfully automate the captcha then that would be a failed test and the captcha application should be replaced with one that hasn’t been beaten.

With that said, the question of how  sites that implement captcha can be tested with automation remains. This cynical answer is simply, “you can’t”, but this is neither true nor acceptable. The correct answer is to plan ahead and work with developers to implement a test mode that can be toggled securely. This will allow the automation test environment to bypass the captcha and test the meat of the application, while providing confidence in the security of the production site after manually confirming the integrity of the captcha.

After some thought, the manual testing could be skipped (not recommended) if the test mode was built into the captcha module such that when implemented, it would always provide the same challenge. This would allow for verifying the captcha functionality is working and be able to successfully test the remainder of the application as well. The issue with this would be making sure it was not possible to put the captcha into test mode through injections or other trickery in production.

I would be remiss if I didn’t warn my fellow testers that there are methods available for beating captchas such as OCR implementations and some specialized API services. These should be considered when performing your tests and assessing the security of an application. I am not going to promote any of the sites here since I don’t want to make it easier for script kiddies to get their hands on them. They were easy enough to find without my posting links last time I checked.

Advertisements

Software Dance (to the tune of Safety Dance)

We can ship if you want to, We can leave your tests behind.
Cause your tests can’t pass and if they don’t pass, Well they’re no tests of mine

We’ll hide checks where we want to, places where they will never find.
And we can act like we planned it all from the start, leave the real spec far behind

And we can ship

We can ship if you want to, We can leave your tests behind.
Cause your tests can’t pass and if they don’t pass, Well they’re no tests of mine

We’ll hide checks where we want to, places where they will never find.
And we can act like we planned it all from the start, leave the real spec far behind

And we can ship

Francois!

Ah, we can launch when we to, the code is young and so am I
And we can demo real neat with new tools or a suite
And surprise them with a new UI

We can test if you want to, if we don’t nobody will
And you can test really good and be totally removed
And I can test like an imbecile

We can ship. We can ship. Everything is out of control.
We can ship. We can ship. We’ve committed to the date on the wall.
We can ship. We can ship. Everybody looks at the plans.
We can ship. We can ship. Everybody’s taking a chance.

Software Dance
Oh well, the software dance
Ah yes, the software dance
Software Dance

We can ship if you want to, we’ve got all your tests and mine
As long as we abuse it, we’re never gonna lose it
Everything will work fine!

We can ship if you want to, We can leave your tests behind.
Cause your tests can’t pass and if they don’t pass, Well they’re no tests of mine

We can ship. We can ship. Everything is out of control.
We can ship. We can ship. We’ve committed to the date on the wall.
We can ship. We can ship. Everybody follow the plans.
We can ship. We can ship. Everybody’s taking the chance.

Oh Well the software dance
Ah yes the software dance
Oh well the software dance
Oh well the software dance
Oh yes the software dance
Oh the software dance yeah
Oh it’s the software dance
It’s the software dance
Well it’s the software dance
Oh it’s the software dance
Oh it’s the software dance
Oh it’s the software dance
Oh it’s the software dance