AWG Blogs

Saturday, August 8, 2009

Hacking CAPTCHA

One way to hack one type of CAPTCHA is as follows:

Assuming the web app sets the captcha code in a session variable and assuming it only checks it for equality, you can use Paros Proxy to trap and alter the captcha url in the image tag (assuming, once again, this is the method used to display the image).

First clear all of the target website's cookies (including session cookies -- still not sure how to do this in IE), then open the target web page form with Paros running with "Trap response" checked in the Trap tab. Then edit or remove the link in the image tag to the captcha image generator, then click Continue. When the page is resolved the captcha image will appear broken, indicating the script that produced it never was run for this session and hence no security session variables were set. Finally, leave the captcha input box empty and submit. If all goes well the form will submit successfully.

The way to protect against this kind of attack is to set another secret session variable in the captcha script then check for it in the form validation.

(this advice is provided to assist newbie web developers with no guarantees. Malicious hackers and script kidies are not welcome.)