This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Captcha (OWASP-AT-012)"

From OWASP
Jump to: navigation, search
(WARNING: CAPTCHA is considered to be an ineffective security mechanism - see below!)
(WARNING: Captcha protection is considered to be an ineffective security mechanism!)
Line 4: Line 4:
 
=== WARNING: Captcha protection is considered to be an ineffective security mechanism! ===
 
=== WARNING: Captcha protection is considered to be an ineffective security mechanism! ===
  
Most current used Captcha images can be cracked easily in a fully automated way using many commercial or opensource services. These services are really cheap and provide a simple API for most programming languages.
+
Most current used Captcha images can be easily cracked in a fully automated way using many commercial or opensource services. Commercial services are usually very cheap and provide a simple API for most programming languages.
 
<br>
 
<br>
It is not recommended to use Captcha protection for security-critical applications, in this case it is more suitable to use SMS text messages or OTP tokens instead.
+
'''It is not recommended to use Captcha protection for security-critical applications''', in this case it is more suitable to use SMS text messages or OTP tokens instead.
Therefore Captcha protection can be used against simple attacks only.
 
  
 
== Brief Summary ==
 
== Brief Summary ==

Revision as of 23:59, 17 November 2013

This article is part of the new OWASP Testing Guide v4.

Back to the OWASP Testing Guide v4 ToC:
   https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Back to the OWASP Testing Guide Project:
   https://www.owasp.org/index.php/OWASP_Testing_Project


WARNING: Captcha protection is considered to be an ineffective security mechanism!

Most current used Captcha images can be easily cracked in a fully automated way using many commercial or opensource services. Commercial services are usually very cheap and provide a simple API for most programming languages.
It is not recommended to use Captcha protection for security-critical applications, in this case it is more suitable to use SMS text messages or OTP tokens instead.

Brief Summary


CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...

Retrieved from "https://wiki.owasp.org/index.php?title=Testing_for_Captcha_(OWASP-AT-012)&oldid=163483"