Bypass the basic math Captcha

When I’m looking for the code of simple Captcha for my personal project, I found this solution:

The idea of this Captcha is simple, user needs to input the correct value of basic calculating: A+B

Simple Captcha Code with PHP - Mozilla Firefox 2016-06-02 01.34.38
But from the view points of tester, I asked myself: How can I bypass and break it?

I’m looking into the source code of demo Captcha site and there are some useful information there, with supporting of Selenium WebDriver I can make it very easy. Here’s my step:


– With web admin and developer: Do not use this simple way to protect your website from flooding or spam.
– From hacker side: Can use this way or something similar to bypass the Captcha.
– For tester: View the source code (front-end) and make a decision what you can test.

Malicious redirect & bypass “Redirect Notice” at

The last few months, when I’m working around with “Open Redirect” vulnerability, I found something interesting that a hacker can bypass confirmation page and redirect the user to the malicious website by using the domain.

1. My site:
2. Redirect to other site by using domain:[URL]

Display: Redirect Notice

Redirect Notice - Mozilla Firefox 2016-05-23 23.47.41
So how can I bypass this form and redirect the user to my page without any confirmation message?

3. Bypass the confirmation page:[URL]&usg=[Code]*

* See the below video to know how can I get the Code. The full URL will be:

With this URL, the hacker can redirect the user to malicious site or phishing.

I have reported this issue to Google but they think that this is an not a security vulnerability: “Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.”

In the next email they said that: “We consider this issue as working as intended, but thanks for letting us know”.

I think the confirmation page “Redirect Notice” should be displayed to help the user know where they are going to. It’s a risk for sometimes.

Text injection on form

Đây là một lỗi khá thú vị, nó có thể được dùng để khai thác và đánh lừa người dùng (phishing).


Đầu tiên mình sẽ không nhập Username, Password và bấm Log in thì xuất hiện thông báo lỗi như bên dưới.

Odnoklassniki - Mozilla Firefox 2016-05-21 23.43.29

Chú ý lên URL thì thấy có dạng sau:

Thay đổi dòng “” bằng một nội dung khác.

Kết quả.

Odnoklassniki - Mozilla Firefox 2016-05-21 23.46.32