[WEB SECURITY] my website captcha broken??

Wayne Lee wayne_lee72 at hotmail.com
Sat Jan 31 15:48:39 EST 2009

Determine if the captcha is "broken" or if the implementation is broken.  For implementation what is the mechanism used to ID the captcha on the client side/server side?  Perhaps, use a guid to id the captcha.  When the captcha is generated server side you can store the guid in the db while sending it down to the client.  With every solve attempt you retrieve and delete the captcha guid from the db.  This would prevent replay attacks against the captcha.  To determine if the captcha has been "broken" or ocr'd you will need to store solve times and log them.  If you determine that you're being ocr'd then increase the captcha comlexity.You can block IPs in the interim but that would be a temporary patch until you get to the root of the problem.  The problem might not be the captcha at all and could be an error at the application level.  My experience with recaptcha is that it's user friendly but not as effective increasing the complexity of your own captcha.  It's pretty forgiving if you enter a few incorrect character values.  It drops a cookie to store the number of attempts you've made and increases the complexity accordingly.  The problem with it being that a spammer can delete this cookie with each attempt.Wayne2009/1/31 Luis Matus <matus.investiga at gmail.com>
I need some advice. I work for a company that provides sms service on line from our web  site. The websites uses captcha but some how hackers have  been able to break the captcha or work around it, because they (hackers) have created a web capable to send sms through  our website.

I've know they're using our web site  because  whe can see their website server IP in our database logs. Do you have any pointers of how could the problem be adressed? Perhaps you might have some similar stories that may give me a clue of how they did it?


Windows Live™ Hotmail®:…more than just e-mail. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090131/01ddce23/attachment.html>

More information about the websecurity mailing list