[Owasp-testing] Captcha testing

Matteo Meucci matteo.meucci at gmail.com
Tue Jul 22 11:57:02 EDT 2008

Hi Pavol,
I agree, why don't add a new article: "Testing Capchta" in the
authentication section?
Is it ok for you to write an article?


On Mon, Jul 21, 2008 at 7:40 PM, Pavol Luptak <pavol.luptak at nethemba.com> wrote:
> Hi,
> I am not sure, if this is not too specific for testing guide, but actually
> captcha is widely used and should be properly tested.
> During my penetration tests I revealed some common vulnerabilities in many
> web applications of bad implemented captcha that should be documented
> (and I really don't know if "testing guide" is a good place):
> - decoded captcha is encrypted (usually by some "security-by-obscurity"
> "home-made" algorithm) and this value is sent by client as a hidden field
> (yeah, it's unbelievable but some web applications really do it in this way).
> Often this can be easily decrypted by observing of multiple captcha values.
> - even if it is difficult to decrypt decoded captcha value, many captchas are
> vulnerable to replay attacks (attacker simply send old values of encrypted
> decoded captcha value and decoded value of this captcha)
> - many captchas don't destroy the session when the correct phrase is entered -
> by reusing the session id of a known captcha it is possible to bypass
> captcha protected page
> - many captchas can be identified as weak by simple comparison with already
> broken captchas (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/,
> http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)
> Pavol
> --
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

Matteo Meucci
OWASP Testing Guide lead

More information about the Owasp-testing mailing list