[WEB SECURITY] CAPTCHA vulnerabilities - multiple vendors

systemcracker at gmail.com systemcracker at gmail.com
Sun May 22 17:34:24 EDT 2005

Hi there.

While developing a CAPTCHA script in PHP, I found a serious problem
with my own script that also affects a *large* number of commercial
and free CAPTCHA applications.

Most CAPTCHAs don't destroy the session when the correct phrase is
entered, this enables attackers to re-use a session-id for a known
captcha string, thus allowing multiple form submittals. A list of all
the scripts I could get my hands on, with details of whether they're
vulnerable or not, is given below (taken from

Here's the lowdown:

manual steps:
connect to captcha page
record session ID and captcha plaintext

automated steps:
send session ID and captcha plaintext a number of times, changing the
user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^  this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;

name=bob&email=bob at fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually
the other user data can change on each request

you can then automate hundreds, if not thousands of requests, until
the session expires, at which point you just repeat the manual steps
and then reconnect with a new session id and captcha text.

This is -easy- to fix, here's the vulnerable pseudocode:

if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then

fixed psuedocode:

if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then

 - it's a one line fix!

tested scripts:
vulnerable (this product has 239 registered users)
http://drupal.org/project/captcha - demo at
http://www.lanapsoft.com/products.html, demo at
vulnerable; haven't tested but looking at code, seems to be:
      if (this.CodeNumberTextBox.Text ==
        // Display an informational message.
        this.MessageLabel.CssClass = "info";
        this.MessageLabel.Text = "Correct!";
doesn't clear session so could reconnect and give same word.
possibly vulnerable; can't get the form to submit even normally!
http://www.puremango.co.uk/cm_freecap_113.php (my own script)
version 1.3 not vulnerable, version 1.2 and below vulnerable
not vulnerable

"only as secure as the weakest link in the chain" springs to mind.

I also managed to automate requests to www.captcha.net's demos, but
having examined the implementation of their system on google, I think
it's only the -demo- that's vulnerable. (I assume google's system is
the one from the CAPTCHA project; it looks very similar)

If anyone wants me to look over their scripts, buzz me and I'll be
more than willing to see if you're vulnerable, and give advice on how
to fix.

Computing tools, PHP code, online tools and more at http://www.puremango.co.uk

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list