[Owasp-testing] Captcha testing

Pavol Luptak pavol.luptak at nethemba.com
Mon Jul 21 19:40:12 EDT 2008

I am not sure, if this is not too specific for testing guide, but actually
captcha is widely used and should be properly tested.

During my penetration tests I revealed some common vulnerabilities in many
web applications of bad implemented captcha that should be documented
(and I really don't know if "testing guide" is a good place):

- decoded captcha is encrypted (usually by some "security-by-obscurity" 
"home-made" algorithm) and this value is sent by client as a hidden field
(yeah, it's unbelievable but some web applications really do it in this way).
Often this can be easily decrypted by observing of multiple captcha values.

- even if it is difficult to decrypt decoded captcha value, many captchas are
vulnerable to replay attacks (attacker simply send old values of encrypted
decoded captcha value and decoded value of this captcha)

- many captchas don't destroy the session when the correct phrase is entered -
by reusing the session id of a known captcha it is possible to bypass
captcha protected page

- many captchas can be identified as weak by simple comparison with already
broken captchas (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/,
http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)


More information about the Owasp-testing mailing list