[WEB SECURITY] Fake Captcha Protection
Chris Weber (Casaba Security)
chris at casabasecurity.com
Tue Apr 29 15:56:28 EDT 2008
You've pointed out a very important design aspect of Captcha's - they should prevent replay and reuse attacks. This should be well-known to app security people. Although I don't follow your question too well. Are you asking how many Captcha's have been defeated? I haven't been following too close but think this might still be a good reference for that: http://libcaca.zoy.org/wiki/PWNtcha If you're really asking the number of bad guys who've defeated them, well I know at least two, and might guess 13 total.
Chris
⇝
-----Original Message-----
From: The Burmese Hacker [mailto:hacker.ak at gmail.com]
Sent: Tuesday, April 29, 2008 4:29 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Fake Captcha Protection
Hello all
A lot of web sites are using Fake Captcha Protection which can be
defeated by "Replay" Attack.
Recently, I found this hole in Ning.com, a growing social network site.
How many bad guys have defeated those?
Some captcha creation tutorials are also vulnerable to 'Replay' attack.
Newbie developers are mis-using them in their applications.
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list