This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Captcha (OWASP-AT-012)"

From OWASP
Jump to: navigation, search
(WARNING: CAPTCHA protection is an ineffective security mechanism and should be perceived as a "rate limiting" protection only!)
(Description of the Issue)
Line 23: Line 23:
  
 
== Description of the Issue ==  
 
== Description of the Issue ==  
Despite above-described CAPTCHA weaknesses, it can be still used against:
+
Despite the above-described CAPTCHA weakness, it can be still used against:
  
 
* [https://www.owasp.org/index.php/Testing_for_user_enumeration simple enumeration attacks] (login, registration or password reset forms are often vulnerable to enumeration attacks - without CAPTCHA the attacker can gain valid usernames, phone numbers or any other sensitive information in a short time)
 
* [https://www.owasp.org/index.php/Testing_for_user_enumeration simple enumeration attacks] (login, registration or password reset forms are often vulnerable to enumeration attacks - without CAPTCHA the attacker can gain valid usernames, phone numbers or any other sensitive information in a short time)
 
* automated sending of many GET/POST requests in a short time where it is undesirable (e.g., SMS/MMS/email flooding), CAPTCHA provides a rate limiting function
 
* automated sending of many GET/POST requests in a short time where it is undesirable (e.g., SMS/MMS/email flooding), CAPTCHA provides a rate limiting function
* automated creation/using of the account that should be used only by humans (e.g., creating webmail accounts, stop spamming)
+
* <strike>automated creation/using of the account that should be used only by humans (e.g., creating webmail accounts, stop spamming)</strike>
* automated posting to blogs, forums and wikis, whether as a result of commercial promotion, or harassment and vandalism
+
* <strike>automated posting to blogs, forums and wikis, whether as a result of commercial promotion, or harassment and vandalism</strike>
* any automated attacks that massively gain or misuse sensitive information from the application
+
* <strike>any automated attacks that massively gain or misuse sensitive information from the application</strike>
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==

Revision as of 00:40, 18 November 2013

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


WARNING: CAPTCHA protection is an ineffective security mechanism and should be perceived as a "rate limiting" protection only!

Most current used CAPTCHA images can be easily cracked in a fully automated way using many commercial or opensource services. Commercial services are usually very cheap and provide a simple API for most programming languages.
It is not recommended to use CAPTCHA protection for security-critical applications, in this case it is more suitable to use SMS text messages or OTP tokens instead.

Example of Google reCAPTCHA cracked in 7 seconds by commercial automated cracking service:
Image2.jpeg
Price: US¢1.390
Uploaded: Sun Nov 17 20:03:13 2013
Solved: Sun Nov 17 20:03:23 2013
Text: 270 35524452

Most CAPTCHA images can be cracked in 1-15 seconds, therefore CAPTCHA should be perceived as a rate limiting protection only which stops the attacker for a limited amount of time.

Brief Summary


CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer.

Description of the Issue

Despite the above-described CAPTCHA weakness, it can be still used against:

  • simple enumeration attacks (login, registration or password reset forms are often vulnerable to enumeration attacks - without CAPTCHA the attacker can gain valid usernames, phone numbers or any other sensitive information in a short time)
  • automated sending of many GET/POST requests in a short time where it is undesirable (e.g., SMS/MMS/email flooding), CAPTCHA provides a rate limiting function
  • automated creation/using of the account that should be used only by humans (e.g., creating webmail accounts, stop spamming)
  • automated posting to blogs, forums and wikis, whether as a result of commercial promotion, or harassment and vandalism
  • any automated attacks that massively gain or misuse sensitive information from the application

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...