Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-804: Guessable CAPTCHA

Weakness ID: 804
Abstraction: Base
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

Extended Description

An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks.

There can be several different causes of a guessable CAPTCHA:

  • An audio or visual image that does not have sufficient distortion from the unobfuscated source image.

  • A question is generated that with a format that can be automatically recognized, such as a math question.

  • A question for which the number of possible answers is limited, such as birth years or favorite sports teams.

  • A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular actors.

  • Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



Technology Classes

Web-Server: (Sometimes)

+ Common Consequences
Access Control

Technical Impact: Bypass protection mechanism; Other

When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.

+ Likelihood of Exploit

Medium to High

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts699
Research Concepts1000
ChildOfWeakness ClassWeakness Class330Use of Insufficiently Random Values
Development Concepts699
Research Concepts1000
ChildOfCategoryCategory8082010 Top 25 - Weaknesses On the Cusp
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800
ChildOfWeakness ClassWeakness Class863Incorrect Authorization
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC21Insufficient Anti-Automation
+ References
Web Application Security Consortium. "Insufficient Anti-automation". <>.
+ Content History
Submission DateSubmitterOrganizationSource
2010-01-15MITREInternal CWE Team
New entry to handle anti-automation as identified in WASC.
Modification DateModifierOrganizationSource
2010-06-21CWE Content TeamMITREInternal
updated Common_Consequences
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017