[WEB SECURITY] my website captcha broken??
Bil Corry
bil at corry.biz
Sat Jan 31 09:38:40 EST 2009
Luis Matus wrote on 1/31/2009 12:11 AM:
> Perhaps you might have some similar stories that may give me a clue of how
> they did it?
Without seeing your application, it's hard to know, but the biggest mistake I run into is the site using the CAPTCHA doesn't protect against replay attacks -- meaning a human solves it the first time and records what is being sent in the POST request, then automates their solution to send the same parameters, effectively "solving" the same CAPTCHA again and again.
- Bil
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list