[WEB SECURITY] my website captcha broken??

Pavol Luptak Pavol.Luptak at nethemba.com
Sat Jan 31 06:52:53 EST 2009


On Sat, Jan 31, 2009 at 12:11:42AM -0600, Luis Matus wrote:
>    I need some advice. I work for a company that provides sms service on line
>    from our web  site. The websites uses captcha but some how hackers have 
>    been able to break the captcha or work around it, because they (hackers)
>    have created a web capable to send sms through  our website.

- definitely use stronger CAPTCHA and check its strength using 
http://www.captchakiller.com/ (it breaks the most of all CAPTCHAs)

- allow to send only limited amount of SMSes from one IP address per defined
time period (e.g. 10 SMSes from 1 IP address per one day)

- allow to send only limited amount of SMSes from one IP subnet (e.g /24) per
defined time period (e.g. 100 SMSes from one /24 IP subnet per one day)

In this scenario attackers can still use some big botnets with many very 
different IP addresses and solve very difficult CAPTCHAs, but it will be much
more complicated and probably they will target a different SMS portal :-)

[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090131/1fdeddd9/attachment.asc>

More information about the websecurity mailing list