[WEB SECURITY] Fake Captcha Protection

Arian J. Evans arian.evans at anachronic.com
Tue Apr 29 17:36:24 EDT 2008


Make that 16, Chris. I had at least three, I think,
unique attackers based upon the differences in
the scripts they ran to defeat the poorly-written
CAPTCHA I had on my website (before I disabled it).

The internet is a really big place, though. There
could be more than 16.

In related news -- is there a good CAPTCHA
how-to guide? We got into a discussion about
this at WhiteHat the other day.

We wrote one a while back at WhiteHat that
I've been trying to dig up, and I remember
Billy Hoffman making some notes about what
a Captcha should do, but I don't think I've
seen a good how-to guide for devs.

WASC should host a guide like this,
since they are so commonly BORKed
beyond usefulness.

-ae


On Tue, Apr 29, 2008 at 12:56 PM, Chris Weber (Casaba Security) <
chris at casabasecurity.com> wrote:

> You've pointed out a very important design aspect of Captcha's - they
> should prevent replay and reuse attacks.  This should be well-known to app
> security people.  Although I don't follow your question too well.  Are you
> asking how many Captcha's have been defeated?  I haven't been following too
> close but think this might still be a good reference for that:
> http://libcaca.zoy.org/wiki/PWNtcha  If you're really asking the number of
> bad guys who've defeated them, well I know at least two, and might guess 13
> total.
>
> Chris
>>
>
> -----Original Message-----
> From: The Burmese Hacker [mailto:hacker.ak at gmail.com]
> Sent: Tuesday, April 29, 2008 4:29 AM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Fake Captcha Protection
>
> Hello all
>
> A lot of web sites are using Fake Captcha Protection which can be
> defeated by "Replay" Attack.
> Recently, I found this hole in Ning.com, a growing social network site.
>
> How many bad guys have defeated those?
>
> Some captcha creation tutorials are also vulnerable to 'Replay' attack.
> Newbie developers are mis-using them in their applications.
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>


-- 
-- 
Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The rest
of it I squander.

ps - Remember to block Finger.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080429/78c22373/attachment.html>


More information about the websecurity mailing list