Abstract
This research focuses on identifying vulnerabilities in the CAPTCHA implementation of the Damn Vulnerable Web Application (DVWA). We utilize Optical Character Recognition (OCR) with Tesseract, capture internet traffic using OWASP ZAP, and develop Python-based automated scripts to bypass substandard CAPTCHA implementations. Throughout the study, we uncover critical vulnerabilities, including the lack of CAPTCHA verification for sensitive actions such as password changes. We provide a detailed step-by-step analysis of how attackers can exploit these vulnerabilities. We conclude by comparing these weak CAPTCHA methods with more robust alternatives, such as Google reCAPTCHA, and recommend best practices, including server-side validation, CAPTCHA obfuscation, and the implementation of multi-layered security systems. The research employs software tools including Tesseract OCR v5.3, OWASP ZAP 2.12.0, Python 3.10, and DVWA 1.10 on XAMPP.
References
Ousat, Behzad, Esteban Schafir, Duc C. Hoang, Mohammad Ali Tofighi, Cuong V. Nguyen, Sajjad Arshad, Selcuk Uluagac, and Amin Kharraz. "The Matter of Captchas: An Analysis of a Brittle Security Feature on the Modern Web." In Proceedings of the ACM Web Conference 2024: 1835-1846.
Sampaio, Lauren Silva Rolan. "An overview of AI-enabled attacks: concepts, state-of-the-art, and evaluation of prototypes." (2021).
Wang, Junmei, and Xinning Liu. "Research on Software Security Based on DVWA." In 2023 IEEE 3rd International Conference on Electronic Technology, Communication and Information (ICETCI), IEEE, (2023): 38-42.
Idris, Muhammad, Iwan Syarif, and Idris Winarno. "Development of vulnerable web application based on OWASP API security risks." In 2021 International Electronics Symposium (IES), IEEE, (2021): 190-194.
Gaur, Bonika. "Penetration Testing for Web-Applications." PhD diss., Institute of Technology, 2015.
Amankwah, Richard, Jinfu Chen, Patrick Kwaku Kudjo, and Dave Towey. "An empirical comparison of commercial and open‐source web vulnerability scanners." Software: Practice and Experience 50, no. 9 (2020): 1842-1857.
Pinchuk, Alla D., Roman S. Odarchenko, and Oleh O. Polihenko. "Ethical hacking skills development through the PentestHUB platform." (2025).
Buvana, M. "Mitigating Cross-Site Request Forgery Vulnerabilities: Evaluating Current Strategies and Proposing Defense Mechanisms."
Zech, Philipp, Michael Felderer, and Ruth Breu. "Knowledge-based security testing of web applications by logic programming." International Journal on Software Tools for Technology Transfer 21, no. 2 (2019): 221-246.
Oyelakin, Oyetunji, Abel Ofori-Yeboah, Aishat Ganiyu, and Oluwole Oguntoyinbo. "Digital forensics investigations and network security issues in tracking the trails of cybercriminals." In 2024 International Conference on Electrical and Computer Engineering Researches (ICECER), IEEE, (2024): 1-8.