RSS Feed
TwitterBreaking CAPTCHA without OCR
For my own PHP CAPTCHA implementation, click here.
This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software. It depends on an implementation problem that was quite common among CAPTCHA scripts when I originally published this in May 2005.
Most CAPTCHAs don’t destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.
I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.
manual steps:
connect to captcha page
record session ID and captcha plaintext
automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;
name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually
the other user data can change on each request
you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text.
This is easy to fix, here’s the vulnerable pseudocode:
Vulnerable CAPTCHA Scripts
tested scripts: (list taken from wikipedia’s CAPTCHA page)
scripts were first tested during May 2005, and re-tested in August 2005.
————————————————-
humanVerify (Multilingual)
vulnerable (this product has 325 registered users)
————————————————-
drupal Captcha (PHP)
4.4- vulnerable, 4.5+ OK
————————————————-
del.icio.us/register
was vulnerable, fixed after I alerted them
————————————————-
tacs 0.1.2 (PHP)
vulnerable
————————————————-
gotcha (PHP)
vulnerable
UPDATE:
no longer vulnerable
————————————————-
Lanap BotDetect (ASP/ASP.NET)
vulnerable
UPDATE:
no longer seems vulnerable, not 100% sure.
————————————————-
code project CAPTCHA (ASP)
vulnerable
————————————————-
freeCap (my own script) (PHP)
1.3+ not vulnerable
————————————————-
audit (PHP)
not vulnerable
————————————————-
Block AutoSubmit (PHP)
not vulnerable
————————————————-
captchas.net service (python/PHP/PERL)
not vulnerable
————————————————-
“only as secure as the weakest link in the chain” springs to mind.
I also managed to automate requests to www.captcha.net’s demos, but having examined the implementation of their system, I think it’s only the -demo- that’s vulnerable.
I would appreciate info on other vulnerable/not vulnerable scripts, as I only have limited resources.
Another vulnerability that most CAPTCHA scripts have is again in their use of sessions; if you’re on an insecure shared server, any user on that server may have access to everyone else’s session files, so even if your site is totally secure, a vulnerability on any other website hosted on that machine can lead to a compromise of your session data, and hence, your CAPTCHA script. freeCap gets around this by only storing a hash of the CAPTCHA word in the session, thus even if someone can read your session files, they can’t find out what the CAPTCHA word is.
If you would like me to test your CAPTCHA scripts (for free), and give advice on how to protect against this type of attack, please email me at puremango.co.uk@gmail.com. Note that I’m not an OCR expert, and can’t help with anything to do with OCR (sorry!).
Traditional CAPTCHA-breaking software involves using image recognition routines to decode CAPTCHA images. This approach bypasses the need to do any of that, making it easy to hack CAPTCHA images. What’s great though is that it is really simple to fix, which means your scripts and programs have no excuse to be insecure now!
This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software. It depends on an implementation problem that was quite common among CAPTCHA scripts when I originally published this in May 2005.
Most CAPTCHAs don’t destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.
I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.
manual steps:
connect to captcha page
record session ID and captcha plaintext
automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;
name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually
the other user data can change on each request
you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text.
This is easy to fix, here’s the vulnerable pseudocode:
if form_submitted and captcha_stored!=”" and captcha_sent=captcha_stored thenfixed psuedocode:
process_form();
endif:
if form_submitted and captcha_stored!=”" and- it’s a one line fix!
captcha_sent=captcha_stored then
captcha_stored=”";
process_form();
endif:
Vulnerable CAPTCHA Scripts
tested scripts: (list taken from wikipedia’s CAPTCHA page)
scripts were first tested during May 2005, and re-tested in August 2005.
————————————————-
humanVerify (Multilingual)
vulnerable (this product has 325 registered users)
————————————————-
drupal Captcha (PHP)
4.4- vulnerable, 4.5+ OK
————————————————-
del.icio.us/register
was vulnerable, fixed after I alerted them
————————————————-
tacs 0.1.2 (PHP)
vulnerable
————————————————-
gotcha (PHP)
vulnerable
UPDATE:
no longer vulnerable
————————————————-
Lanap BotDetect (ASP/ASP.NET)
vulnerable
UPDATE:
no longer seems vulnerable, not 100% sure.
————————————————-
code project CAPTCHA (ASP)
vulnerable
————————————————-
freeCap (my own script) (PHP)
1.3+ not vulnerable
————————————————-
audit (PHP)
not vulnerable
————————————————-
Block AutoSubmit (PHP)
not vulnerable
————————————————-
captchas.net service (python/PHP/PERL)
not vulnerable
————————————————-
“only as secure as the weakest link in the chain” springs to mind.
I also managed to automate requests to www.captcha.net’s demos, but having examined the implementation of their system, I think it’s only the -demo- that’s vulnerable.
I would appreciate info on other vulnerable/not vulnerable scripts, as I only have limited resources.
Another vulnerability that most CAPTCHA scripts have is again in their use of sessions; if you’re on an insecure shared server, any user on that server may have access to everyone else’s session files, so even if your site is totally secure, a vulnerability on any other website hosted on that machine can lead to a compromise of your session data, and hence, your CAPTCHA script. freeCap gets around this by only storing a hash of the CAPTCHA word in the session, thus even if someone can read your session files, they can’t find out what the CAPTCHA word is.
If you would like me to test your CAPTCHA scripts (for free), and give advice on how to protect against this type of attack, please email me at puremango.co.uk@gmail.com. Note that I’m not an OCR expert, and can’t help with anything to do with OCR (sorry!).
Traditional CAPTCHA-breaking software involves using image recognition routines to decode CAPTCHA images. This approach bypasses the need to do any of that, making it easy to hack CAPTCHA images. What’s great though is that it is really simple to fix, which means your scripts and programs have no excuse to be insecure now!
0 Response to "Breaking CAPTCHA without OCR"
Post a Comment