[WEB SECURITY] my website captcha broken??

Bil Corry bil at corry.biz
Sat Jan 31 09:38:40 EST 2009


Luis Matus wrote on 1/31/2009 12:11 AM: 
> Perhaps you might have some similar stories that may give me a clue of how
> they did it?

Without seeing your application, it's hard to know, but the biggest mistake I run into is the site using the CAPTCHA doesn't protect against replay attacks -- meaning a human solves it the first time and records what is being sent in the POST request, then automates their solution to send the same parameters, effectively "solving" the same CAPTCHA again and again.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list