This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Captcha (OWASP-AT-008)"
(New page: {{Template:OWASP Testing Guide v3}} == Brief Summary == <br>Captcha ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test use...) |
|||
Line 2: | Line 2: | ||
== Brief Summary == | == Brief Summary == | ||
− | + | Captcha ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. Captcha implementations are often vulnerable to various kinds of attacks even if the generated captcha is unbreakable. | |
This section will help you to identify these kinds of attacks and propose possible solutions. | This section will help you to identify these kinds of attacks and propose possible solutions. | ||
− | + | ||
== Description of the Issue == | == Description of the Issue == | ||
+ | |||
+ | Implementation of good captcha mechanism can be very efficient against: | ||
+ | |||
+ | * enumeration attacks (login, registration or password reset forms are often vulnerable to this kind of attacks - the attacker can in a short time gain a lot of valid usernames, phone numbers, etc) | ||
+ | * automated sending of many GET/POST requests in a short time even if it is undesirable (e.g. SMS/MMS/email flooding) | ||
+ | |||
+ | (e.g. SMS/MMS/email messages, undesirable | ||
+ | |||
+ | * any automated attacks than gain any sensitive information from the application | ||
+ | |||
+ | Captchas should not use: | ||
+ | |||
+ | * as a CSRF protection (the attacker can still steal the generated captcha nad break it in a real time) | ||
+ | |||
+ | |||
+ | |||
+ | Many image captchas can be identified as weak by simple | ||
+ | |||
<br> | <br> | ||
Revision as of 20:01, 28 July 2008
OWASP Testing Guide v3 Table of Contents
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
Brief Summary
Captcha ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. Captcha implementations are often vulnerable to various kinds of attacks even if the generated captcha is unbreakable. This section will help you to identify these kinds of attacks and propose possible solutions.
Description of the Issue
Implementation of good captcha mechanism can be very efficient against:
- enumeration attacks (login, registration or password reset forms are often vulnerable to this kind of attacks - the attacker can in a short time gain a lot of valid usernames, phone numbers, etc)
- automated sending of many GET/POST requests in a short time even if it is undesirable (e.g. SMS/MMS/email flooding)
(e.g. SMS/MMS/email messages, undesirable
- any automated attacks than gain any sensitive information from the application
Captchas should not use:
- as a CSRF protection (the attacker can still steal the generated captcha nad break it in a real time)
Many image captchas can be identified as weak by simple
- decoded captcha is encrypted (usually by some "security-by-obscurity"
"home-made" algorithm) and this value is sent by client as a hidden field (yeah, it's unbelievable but some web applications really do it in this way). Often this can be easily decrypted by observing of multiple captcha values.
- even if it is difficult to decrypt decoded captcha value, many captchas are
vulnerable to replay attacks (attacker simply send old values of encrypted decoded captcha value and decoded value of this captcha)
- many captchas don't destroy the session when the correct phrase is entered -
by reusing the session id of a known captcha it is possible to bypass captcha protected page
- many captchas can be identified as weak by simple comparison with already
broken captchas (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/, http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)
Black Box testing and example
Gray Box testing and example
References
Definition
http://en.wikipedia.org/wiki/Captcha
Captcha Decoders
PWNtcha - opensource captcha decoder -
http://libcaca.zoy.org/wiki/PWNtcha
Commercial captach decoder - http://www.lafdc.com/captcha/
Papers
Breaking a Visual CAPTCHA - http://www.cs.sfu.ca/~mori/research/gimpy/