This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Captcha (OWASP-AT-012)"

From OWASP
Jump to: navigation, search
(WARNING: Captcha protection is considered to be an ineffective security mechanism!)
(WARNING: Captcha protection is considered to be an ineffective security mechanism!)
Line 5: Line 5:
  
 
Most current used Captcha images can be easily cracked in a fully automated way using many commercial or opensource services. Commercial services are usually very cheap and provide a simple API for most programming languages.
 
Most current used Captcha images can be easily cracked in a fully automated way using many commercial or opensource services. Commercial services are usually very cheap and provide a simple API for most programming languages.
<br>
+
<br/>
 
'''It is not recommended to use Captcha protection for security-critical applications''', in this case it is more suitable to use SMS text messages or OTP tokens instead.
 
'''It is not recommended to use Captcha protection for security-critical applications''', in this case it is more suitable to use SMS text messages or OTP tokens instead.
 +
<br/>
 +
Example of Google reCAPTCHA cracked in 7 seconds by commercial automated cracking service:
 
[[File:Image2.jpeg]]
 
[[File:Image2.jpeg]]
 +
Price: US¢1.390 <br/>
 +
Uploaded: Sun Nov 17 20:03:13 2013 <br/>
 +
Solved: Sun Nov 17 20:03:23 2013 <br/>
 +
'''Text: 270 35524452''' <br/>
  
 
== Brief Summary ==
 
== Brief Summary ==

Revision as of 00:13, 18 November 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


WARNING: Captcha protection is considered to be an ineffective security mechanism!

Most current used Captcha images can be easily cracked in a fully automated way using many commercial or opensource services. Commercial services are usually very cheap and provide a simple API for most programming languages.
It is not recommended to use Captcha protection for security-critical applications, in this case it is more suitable to use SMS text messages or OTP tokens instead.
Example of Google reCAPTCHA cracked in 7 seconds by commercial automated cracking service: Image2.jpeg Price: US¢1.390
Uploaded: Sun Nov 17 20:03:13 2013
Solved: Sun Nov 17 20:03:23 2013
Text: 270 35524452

Brief Summary


CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...