[WEB SECURITY] Fake Captcha Protection

Dave Ferguson gmdavef at gmail.com
Wed Apr 30 11:08:11 EDT 2008


I wrote a simple how-to example for Java developers who use JCaptcha.

http://www.owasp.org/index.php/Using_JCaptcha
http://www.owasp.org/index.php/JCaptcha_servlet_example

-Dave

On Tue, Apr 29, 2008 at 4:36 PM, Arian J. Evans
<arian.evans at anachronic.com> wrote:
> Make that 16, Chris. I had at least three, I think,
> unique attackers based upon the differences in
> the scripts they ran to defeat the poorly-written
> CAPTCHA I had on my website (before I disabled it).
>
> The internet is a really big place, though. There
>  could be more than 16.
>
> In related news -- is there a good CAPTCHA
> how-to guide? We got into a discussion about
> this at WhiteHat the other day.
>
> We wrote one a while back at WhiteHat that
> I've been trying to dig up, and I remember
>  Billy Hoffman making some notes about what
> a Captcha should do, but I don't think I've
> seen a good how-to guide for devs.
>
> WASC should host a guide like this,
> since they are so commonly BORKed
> beyond usefulness.
>
> -ae
>
>
>
>
> On Tue, Apr 29, 2008 at 12:56 PM, Chris Weber (Casaba Security)
> <chris at casabasecurity.com> wrote:
> > You've pointed out a very important design aspect of Captcha's - they
> should prevent replay and reuse attacks.  This should be well-known to app
> security people.  Although I don't follow your question too well.  Are you
> asking how many Captcha's have been defeated?  I haven't been following too
> close but think this might still be a good reference for that:
> http://libcaca.zoy.org/wiki/PWNtcha  If you're really asking the number of
> bad guys who've defeated them, well I know at least two, and might guess 13
> total.
> >
> > Chris
> > ⇝
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: The Burmese Hacker [mailto:hacker.ak at gmail.com]
> > Sent: Tuesday, April 29, 2008 4:29 AM
> > To: websecurity at webappsec.org
> > Subject: [WEB SECURITY] Fake Captcha Protection
> >
> > Hello all
> >
> > A lot of web sites are using Fake Captcha Protection which can be
> > defeated by "Replay" Attack.
> > Recently, I found this hole in Ning.com, a growing social network site.
> >
> > How many bad guys have defeated those?
> >
> > Some captcha creation tutorials are also vulnerable to 'Replay' attack.
> > Newbie developers are mis-using them in their applications.
> >
> >
> ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
> >
> >
> ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
>
>
>
> --
> --
> Arian J. Evans.
>
> I spend most of my money on motorcycles, mistresses, and martinis. The rest
> of it I squander.
>
> ps - Remember to block Finger.


More information about the websecurity mailing list