AWG Blogs

  • Getting ADB Working for SPH-M840 - Had a SPH-M840 Galaxy Ring Virgin Mobile 3G Android version 4.1.2, attempting to install apps from Android Studio failed to detect device. Installed SAMSUN...
    5 months ago
  • How to check if I have write permissions to an Oracle table - SELECT CASE WHEN COUNT(*) > 0 THEN 'YES' ELSE 'NO' END AS PERMISSIONS FROM ( SELECT privilege FROM ( select * from dba_tab_privs where (grantee = 'MY_USE...
    5 months ago
  • JSF vs Struts 2 - JSF was designed in part by the authors of Struts to create a "Struts" that did a more accurate implementation of MVC (Struts is technically "Model 2") a...
    6 months ago
  • XML Beans vs JAXB - Seems XML Beans is superior: JAXB provides support for the XML schema specification, but handles only a subset of it; XMLBeans supports all of it. Also, by...
    10 months ago
  • Algorithms and OOP - In addition to DCI, "generic programming" as well as the move to functional programming appears to add nuance to the OOP notion of joining behavior with da...
    1 year ago
  • Flyweight vs Singleton - Implementations seems to be virtually identical, differing only in style, where the flyweight object is created and held by associated objects (containers:...
    1 year ago
  • init-param vs context-param - see http://javahash.com/difference-between-servlet-init-and-context-parameter/ for background. Gist: context-param variables are global and accessible thro...
    1 year ago
  • rbenv vs RVM - RVM is responsible not only for changing Ruby versions, but for installing rubies and managing gemsets, as well. ...Along with rbenv [to manage ruby versi...
    1 year ago

Saturday, August 8, 2009

Hacking CAPTCHA

One way to hack one type of CAPTCHA is as follows:

Assuming the web app sets the captcha code in a session variable and assuming it only checks it for equality, you can use Paros Proxy to trap and alter the captcha url in the image tag (assuming, once again, this is the method used to display the image).

First clear all of the target website's cookies (including session cookies -- still not sure how to do this in IE), then open the target web page form with Paros running with "Trap response" checked in the Trap tab. Then edit or remove the link in the image tag to the captcha image generator, then click Continue. When the page is resolved the captcha image will appear broken, indicating the script that produced it never was run for this session and hence no security session variables were set. Finally, leave the captcha input box empty and submit. If all goes well the form will submit successfully.

The way to protect against this kind of attack is to set another secret session variable in the captcha script then check for it in the form validation.

(this advice is provided to assist newbie web developers with no guarantees. Malicious hackers and script kidies are not welcome.)

No comments:

Post a Comment