[Owasp-testing] Captcha testing

Matteo Meucci matteo.meucci at gmail.com
Tue Jul 22 11:57:02 EDT 2008


Hi Pavol,
I agree, why don't add a new article: "Testing Capchta" in the
authentication section?
Is it ok for you to write an article?

Thanks,
Mat

On Mon, Jul 21, 2008 at 7:40 PM, Pavol Luptak <pavol.luptak at nethemba.com> wrote:
> Hi,
> I am not sure, if this is not too specific for testing guide, but actually
> captcha is widely used and should be properly tested.
>
> During my penetration tests I revealed some common vulnerabilities in many
> web applications of bad implemented captcha that should be documented
> (and I really don't know if "testing guide" is a good place):
>
> - decoded captcha is encrypted (usually by some "security-by-obscurity"
> "home-made" algorithm) and this value is sent by client as a hidden field
> (yeah, it's unbelievable but some web applications really do it in this way).
> Often this can be easily decrypted by observing of multiple captcha values.
>
> - even if it is difficult to decrypt decoded captcha value, many captchas are
> vulnerable to replay attacks (attacker simply send old values of encrypted
> decoded captcha value and decoded value of this captcha)
>
> - many captchas don't destroy the session when the correct phrase is entered -
> by reusing the session id of a known captcha it is possible to bypass
> captcha protected page
>
> - many captchas can be identified as weak by simple comparison with already
> broken captchas (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/,
> http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)
>
> Pavol
> --
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>



-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide


More information about the Owasp-testing mailing list