[Owasp-testing] Captcha testing

Pavol Luptak pavol.luptak at nethemba.com
Mon Jul 28 18:10:11 EDT 2008


See https://www.owasp.org/index.php/Testing_for_Captcha

Waiting for your comments.

There are some technical problems with OWASP web server.
During writing the article I noticed a lot of these messages:

exception 'RuntimeException' with message 'DirectoryIterator::__construct(/nfsn/content/ds-x/public/tmp/) [function.DirectoryIterator---construct]: failed to open dir: No such file or directory' in /opt/owasp/wiki/htdocs/extensions/SpecialWikiFeeds.php:816 Stack trace: #0 /opt/owasp/wiki/htdocs/extensions/SpecialWikiFeeds.php(816): DirectoryIterator->__construct('/nfsn/content/d...') #1 /opt/owasp/wiki/htdocs/extensions/SpecialWikiFeeds.php(793): SpecialWikiFeeds->_getCacheFiles() #2 /opt/owasp/wiki/htdocs/extensions/SpecialWikiFeeds.php(191): SpecialWikiFeeds->_cachePrune() #3 /opt/owasp/wiki/htdocs/extensions/SpecialWikiFeeds.php(903): SpecialWikiFeeds->__construct() #4 [internal function]: wfWikiFeeds() #5 /opt/owasp/wiki/htdocs/includes/Setup.php(287): call_user_func('wfWikiFeeds') #6 /opt/owasp/wiki/htdocs/includes/WebStart.php(102): require_once('/opt/owasp/wiki...') #7 /opt/owasp/wiki/htdocs/index.php(38): require_once('/opt/owasp/wiki...') #8 {main

BTW: from the security perspective it's not a good idea to have such "verbose"
logging :-)

Pavol

On Tue, Jul 22, 2008 at 11:57:02AM -0400, Matteo Meucci wrote:
> Hi Pavol,
> I agree, why don't add a new article: "Testing Capchta" in the
> authentication section?
> Is it ok for you to write an article?
> 
> Thanks,
> Mat
> 
> On Mon, Jul 21, 2008 at 7:40 PM, Pavol Luptak <pavol.luptak at nethemba.com> wrote:
> > Hi,
> > I am not sure, if this is not too specific for testing guide, but actually
> > captcha is widely used and should be properly tested.
> >
> > During my penetration tests I revealed some common vulnerabilities in many
> > web applications of bad implemented captcha that should be documented
> > (and I really don't know if "testing guide" is a good place):
> >
> > - decoded captcha is encrypted (usually by some "security-by-obscurity"
> > "home-made" algorithm) and this value is sent by client as a hidden field
> > (yeah, it's unbelievable but some web applications really do it in this way).
> > Often this can be easily decrypted by observing of multiple captcha values.
> >
> > - even if it is difficult to decrypt decoded captcha value, many captchas are
> > vulnerable to replay attacks (attacker simply send old values of encrypted
> > decoded captcha value and decoded value of this captcha)
> >
> > - many captchas don't destroy the session when the correct phrase is entered -
> > by reusing the session id of a known captcha it is possible to bypass
> > captcha protected page
> >
> > - many captchas can be identified as weak by simple comparison with already
> > broken captchas (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/,
> > http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)
> >
> > Pavol
> > --
> > _______________________________________________
> > Owasp-testing mailing list
> > Owasp-testing at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-testing
> >
> 
> 
> 
> -- 
> Matteo Meucci
> OWASP-Italy Chair, CISSP, CISA
> http://www.owasp.org/index.php/Italy
> OWASP Testing Guide lead
> http://www.owasp.org/index.php/Testing_Guide

-- 
_____________________________________________________________________________
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +42190540052]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-testing/attachments/20080729/4668c4b8/attachment.bin 


More information about the Owasp-testing mailing list