[WEB SECURITY] Fake Captcha Protection

Bryan Sullivan bryansul at microsoft.com
Tue Apr 29 20:21:07 EDT 2008


I like Jeremiah’s CAPTCHA effectiveness criteria – is this what you were trying to find?
http://jeremiahgrossman.blogspot.com/2006/09/captcha-effectiveness-test.html

(quoted from the page)
1) Test should be administered where the human and the server are remote over the network.
2) Test should be simple for humans to pass.
* Humans should fail less than 0.1% on the first attempt.
3) Test should be solvable by humans in less than a several seconds.
4) Test should only be solvable by the human to which it was presented.
5) Test should be hard for computer to pass
* Correctly guessing the answer should be less than 1 in 1,000,000, even after 24-hours of analysis.
6) Knowledge of previous test questions, answers, results, or combination thereof should not impact the predictability of following tests.
7) Test should not discriminate against humans with visual or hearing impairments.
8) Test should not possess a geographic, cultural, or language bias.

From: arian.evans at gmail.com [mailto:arian.evans at gmail.com] On Behalf Of Arian J. Evans
Sent: Tuesday, April 29, 2008 2:36 PM
To: Chris Weber (Casaba Security)
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Fake Captcha Protection

Make that 16, Chris. I had at least three, I think,
unique attackers based upon the differences in
the scripts they ran to defeat the poorly-written
CAPTCHA I had on my website (before I disabled it).

The internet is a really big place, though. There
could be more than 16.

In related news -- is there a good CAPTCHA
how-to guide? We got into a discussion about
this at WhiteHat the other day.

We wrote one a while back at WhiteHat that
I've been trying to dig up, and I remember
Billy Hoffman making some notes about what
a Captcha should do, but I don't think I've
seen a good how-to guide for devs.

WASC should host a guide like this,
since they are so commonly BORKed
beyond usefulness.

-ae

On Tue, Apr 29, 2008 at 12:56 PM, Chris Weber (Casaba Security) <chris at casabasecurity.com<mailto:chris at casabasecurity.com>> wrote:
You've pointed out a very important design aspect of Captcha's - they should prevent replay and reuse attacks.  This should be well-known to app security people.  Although I don't follow your question too well.  Are you asking how many Captcha's have been defeated?  I haven't been following too close but think this might still be a good reference for that:  http://libcaca.zoy.org/wiki/PWNtcha  If you're really asking the number of bad guys who've defeated them, well I know at least two, and might guess 13 total.

Chris
⇝


-----Original Message-----
From: The Burmese Hacker [mailto:hacker.ak at gmail.com<mailto:hacker.ak at gmail.com>]
Sent: Tuesday, April 29, 2008 4:29 AM
To: websecurity at webappsec.org<mailto:websecurity at webappsec.org>
Subject: [WEB SECURITY] Fake Captcha Protection

Hello all

A lot of web sites are using Fake Captcha Protection which can be
defeated by "Replay" Attack.
Recently, I found this hole in Ning.com, a growing social network site.

How many bad guys have defeated those?

Some captcha creation tutorials are also vulnerable to 'Replay' attack.
Newbie developers are mis-using them in their applications.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net<http://irc.freenode.net> #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net<http://irc.freenode.net> #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



--
--
Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The rest of it I squander.

ps - Remember to block Finger.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080429/3d833955/attachment.html>


More information about the websecurity mailing list