As I understand your situation, a POST request sends both the "text" and the "hash" to the CAPTCHA server. This then uses whatever hash function they use to hash your text, checks to see if it matches the hash, and decides whether or not you succeeded. Presumably, the server sends you the image, as well as the hash, and then you enter the text.
As such, if you figured out the hashing function, you'd have completely broken this CAPTCHA system: All you would need to do is hash any string using their hashing function, and then when sending your POST request, ignore the hash they sent you and merely send them your computed text and hash pair. Thus, you could very easily automate successfully passing the CAPTCHA challenge.
To illustrate how difficult "reversing" the hash might be, consider the following hash that they very well might use:
- Split the TEXT up alternating letters: thus ABCDE becomes ACE and BD
- md5 the two halves using salts "fj49w0utw4a" and "r8h3wlsd"
- md5("fj49w0utw4a"."ACE") is 115c05f0e5300f958ba01caa64b989f
- md5("r8h3wlsd"."BD") is 74eecae86ef46382eb95443a1b1fa8f5
- Take every 3rd char of the first string and every 4th char of the second, and alternate them until you have 15 chars
- 115c05f0e5300f958ba01caa64b989f becomes 55e09b1ab9
- 74eecae86ef46382eb95443a1b1fa8f5 becomes e8425af5
- Final hash value for "ABCDE": 5e58e40295ba1fa
There is really no way you are ever going to reverse engineer that.
UPDATE
Note that CAPTCHAs as described above (and implemented on that site) are extremely insecure, as they only require one valid text/hash combination to be known
To demonstrate, use Firebug or equivalent and navigate to the CAPTCHA area of the form. We will be editing some hidden values.
- Change the
form[captcha_url]
value from https://pokec.azet.sk/sluzby/system/captcha/[somehash]
to https://pokec.azet.sk/sluzby/system/captcha/ee2be1f239e5d17
- Change the
form[captcha_hash]
value from [somehash]
to ee2be1f239e5d17
- Regardless of what the picture says, type "P22KD" for the CAPTCHA
There are several ways to mitigate this vulnerability. As Tangrs suggested, you can store the hash value in a session variable so that it cannot be manipulated by the client. Less elegant but also effective is to store the submitted CAPTCHA in a database and not allow duplicate CAPTCHAs, as is implemented on the link in the question. This is fine, until you start running out of unused CAPTCHAs and end up getting collisions.