Hello participants of Mailing List. In my article Attacks on unprotected login forms (http://websecurity.com.ua/5097/), which I published last week, I told about different attack on login forms which have no protection against automated login. The lack of protection in login forms, captcha in particular, can lead to different attacks. And not only to Brute Force attacks (WASC-11), which is known vulnerability in authentication forms, but also to many other attacks directed on other vulnerabilities of the site or web application. And already for many years I meet possibilities for such attacks at different sites and engines. If it's possible to protect against Brute Force as with help of captcha, as with other methods (restricting by IP or temporary blocking of account), then in case of other vulnerabilities, when remote or automated attacks are conducting, using of the captcha is very actual. And because captcha is very rarely using at login forms, then this issue is very widespread in Internet. At web sites which don't have vulnerabilities in admin or users accounts it's possible to do without captcha (e.g. I don't use captcha at my site in login form, because it's not actual for me), but for sites with internal vulnerabilities it's very actual. Millions of web sites, many engines and different devices with web interface (such as routers, modems and others) are now vulnerable for such attacks. The lack of protection against automated login (captcha) can be used: * For conducting of Brute Force attacks. * For conducting of Login Enumeration attacks - if there are appropriate Abuse of Functionality vulnerabilities in login forms, like in MyBB. * For conducting of XSS attacks - if there are appropriate XSS vulnerabilities, like in MyBB. * For conducting of Redirector attacks - if there are appropriate URL Redirector Abuse vulnerabilities, like in MyBB. * For conducting of CSRF attacks, including at different devices (modems in particular). I'll tell soon about such attacks on admin panels of ADSL modems. * For conducting of phishing attacks, when user's credentials are stealing and right away the login into his account is going on (e.g. for stealing of money from account). I've told already about Insufficient Anti-automation vulnerability in LiqPAY, which can be used for such attacks. * For conducting of SQL Injection attacks, when there is regular SQLi or blind SQLi vulnerability in user account, and exploit needs to login and take data from DB. In such case captcha will make life harder at using of these vulnerabilities. * For conducting of RCE attacks, when authorization is needed for remote command execution. In such case captcha will make life harder at using of these vulnerabilities. * For conducting of Arbitrary File Upload attacks - via appropriate vulnerabilities in user account, like in WordPress. In such case captcha will make life harder at using of these vulnerabilities. * For conducting of Abuse of Functionality attacks - via different AoF vulnerabilities in user account, e.g. those which allow to send spam. Like in Drupal and in Print module for Drupal. At this it's needed that captcha was in login form immediately, and not appears after unsuccessful authentication attempt, as it's in MyBB. Which leads to possibility of conducting of mentioned attacks (like XSS and Redirector attacks in MyBB), because at conducting of these attacks the authentication is going on before captcha's appearance. So if there is any from mentioned vulnerabilities (except for Brute Force, which can be fixed also by other methods) the captcha in login form can come in handy - as main, or as additional protection. Especially if any vulnerabilities can't be fixed, as in case of AoF when they are important functionality of the site. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua