Description
The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks. There can be several different causes of a guessable CAPTCHA:
Potential Impact
Access Control, Other
Bypass Protection Mechanism, Other
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2022-4036 | Chain: appointment booking app uses a weak hash (CWE-328) for generating a CAPTCHA, making it guessable (CWE-804) |
Related Weaknesses
Taxonomy Mappings
- WASC: 21 — Insufficient Anti-Automation
Frequently Asked Questions
What is CWE-804?
CWE-804 (Guessable CAPTCHA) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
How can CWE-804 be exploited?
Attackers can exploit CWE-804 (Guessable CAPTCHA) to bypass protection mechanism, other. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-804?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-804?
CWE-804 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.