Summary by mewtw0
Step 1
Create to create a user. Then the captcha screen will appear. Be prepared to proxy the request with the burp suite tool here. Enter the correct captcha, catch the request, username etc. information comes with the token. Then forward the request and you will see the captcha request. See the post with the do intercept feature. In a successful request, display the true text with token in json format. And save it somewhere.
Step 2
Try to create a user again and your name and surname will be different, so the token will also change. . Enter the wrong captcha and catch the request. Forward the first request, view the next site, the captcha will appear, display the response with the do intercept feature, the server will say that the captcha is wrong. Edit this request as ussage in the previous json to write true before and check the toke and send the request captcha will be bypassed. Continue the registration flow and the account will be successfully created despite the wrong captcha being provided. The vulnerability here is actually that the call to finalize the registration didn't have the proper session check