Automating CAPTCHA Solving in Burp Suite

CAPTCHAFORUM

CAPTCHAFORUM

Administrator
1755166472768.png

https://2captcha.com/h/how-to-bypass-captcha-in-burp-suite

CAPTCHAs are great for stopping bots — but in penetration testing or security research, they can stop you too.
When using Burp Suite for login testing, form validation, or API exploration, hitting a CAPTCHA can mean manually solving it again and again.


With a CAPTCHA solver API, you can turn this repetitive step into an automated process that runs in the background.



Why Integrate a Solver Into Burp Suite?​


Instead of pausing your workflow to complete the challenge, Burp can:
  1. Detect when a CAPTCHA is present.
  2. Send the challenge details to an API.
  3. Receive a valid token.
  4. Inject it automatically into the outgoing request.

No more stopping mid-test to click traffic lights.



Core Requirements​


Before starting:
  • Install Burp Suite (Community or Pro)
  • Have Python 3 or Jython available
  • Get an account + API key from a CAPTCHA-solving service


The Data You Need to Extract​

Most CAPTCHAs (like Google reCAPTCHA v2) rely on two main pieces of information:
  • Sitekey – usually in the HTML as data-sitekey
  • Page URL – the exact address where the CAPTCHA is served

Example from a response in Burp:

<div class="g-recaptcha" data-sitekey="6Lc_aXkUAAAAA..." />



Sending the CAPTCHA to the Solver API​

Once you have sitekey and pageurl, you can send them to the API.
Here’s a minimal Python example with the 2Captcha API:

Code: 
import requests, time

API_KEY = 'your_api_key_here'
SITEKEY = '6Lc_aXkUAAAAA...'
PAGEURL = 'https://example.com'

# Create a solving task
task_data = {
"clientKey": API_KEY,
"task": {
"type": "NoCaptchaTaskProxyless",
"websiteURL": PAGEURL,
"websiteKey": SITEKEY
}
}
task_id = requests.post('https://api.2captcha.com/createTask', json=task_data).json().get("taskId")

# Poll until solved
while True:
time.sleep(5)
res = requests.post('https://api.2captcha.com/getTaskResult', json={
"clientKey": API_KEY,
"taskId": task_id
}).json()

if res.get("status") == "ready":
print("Solved Token:", res["solution"]["gRecaptchaResponse"])
break



Injecting the Solved Token​


Once you get the token:
  • Add it to the request as

    g-recaptcha-response=<token>
  • If working manually, paste it in Burp Repeater before sending.
  • For full automation, write a small Burp extension that hooks into IHttpListener to add it on the fly.


Compatible CAPTCHA Types​


Using the type parameter in the API, you can target:
  • Google reCAPTCHA v2/v3
  • Invisible reCAPTCHA
  • Cloudflare Turnstile
  • Arkose Labs FunCaptcha
  • Amazon CAPTCHA
  • GeeTest, hCaptcha, DataDome, and more


Common Issues & Fixes​

  • taskId missing → Check your API key and JSON structure.
  • Stuck in “processing” → Wrong sitekey or unsupported CAPTCHA.
  • API errors → Watch your request headers, limits, and account balance.

Automating CAPTCHA solving inside Burp Suite transforms a tedious, manual step into a smooth, scripted action.
By grabbing the challenge parameters, sending them to the solver API, and injecting the result directly into the request, you can test protected endpoints without breaking your workflow.


It’s not just about speed — it’s about keeping your security testing pipeline uninterrupted and efficient.
 
You must log in or register to reply here.