Difference between revisions of "Testing for Captcha (OWASP-AT-008)"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
== Brief Summary ==
 
== Brief Summary ==
Captcha ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. Captcha implementations are often vulnerable to various kinds of attacks even if the generated captcha is unbreakable.
+
CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. CAPTCHA implementations are often vulnerable to various kinds of attacks even if the generated CAPTCHA is unbreakable.
 
This section will help you to identify these kinds of attacks and propose possible solutions.
 
This section will help you to identify these kinds of attacks and propose possible solutions.
  
Line 9: Line 9:
 
Implementation of good captcha mechanism can be very efficient against:
 
Implementation of good captcha mechanism can be very efficient against:
  
* enumeration attacks (login, registration or password reset forms are often vulnerable to this kind of attacks - the attacker can in a short time gain a lot of valid usernames, phone numbers, etc)
+
* any enumeration attacks (login, registration or password reset forms are often vulnerable to this kind of attacks - without CAPTCHA the attacker can gain a lot of valid usernames, phone number or any other sensitive informaton in a short time)
* automated sending of many GET/POST requests in a short time even if it is undesirable (e.g. SMS/MMS/email flooding)
+
* automated sending of many GET/POST requests in a short time where it is undesirable (e.g. SMS/MMS/email flooding), CAPTCHA provides a rate limiting function
+
* automated creation/using of the account that should be used only by humans (e.g. creating webmail accounts, stop spamming)
(e.g. SMS/MMS/email messages, undesirable
+
* automated posting to blogs, forums and wikis
+
* any automated attacks than can gain/misuse sensitive information from the application
* any automated attacks than gain any sensitive information from the application
+
 
+
Captchas should not use:
+
 
+
* as a CSRF protection (the attacker can still steal the generated captcha nad break it in a real time)
+
  
 +
Using CAPTCHAs as a CSRF protection is not recommended (becausre there are stronger CSRF protections).
  
 +
CAPTCHA implementations are often vulnerable to these common attacks:
 
   
 
   
Many image captchas can be identified as weak by simple
+
* generated CAPTCHA images are weak, this can be identified (without any complex computer recognition systems) only by simple comparison with already broken captchas
 
+
(http://www.cs.sfu.ca/~mori/research/gimpy/, http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)
<br>
+
  
* decoded captcha is encrypted (usually by some "security-by-obscurity"     
+
* the value of decoded CAPTCHA is sent by client (as a GET parameter or as a hidden field of POST form). This value is often encrypted by simple algorithm and can be easily decrypted by observing of multiple "decoded CAPTCHA" values   
"home-made" algorithm) and this value is sent by client as a hidden field    
+
(yeah, it's unbelievable but some web applications really do it in this way).  
+
Often this can be easily decrypted by observing of multiple captcha values.    
+
 
                                                                                
 
                                                                                
* even if it is difficult to decrypt decoded captcha value, many captchas are  
+
* many CAPTCHA implementations are vulnerable to replay attacks (they do not keep track what ID of CAPTCHA image is sent to the user. Therefore the attacker can simple retrieve
vulnerable to replay attacks (attacker simply send old values of encrypted   
+
the appropriate CAPTCHA image and it's ID, solve it and send old values of ID and decoded CAPTCHA)
decoded captcha value and decoded value of this captcha)                    
+
put the answer along with the corresponding CAPTCHA ID)
 
                                                                                
 
                                                                                
* many captchas don't destroy the session when the correct phrase is entered -
+
* many CAPTCHA implementations do not destroy the session when the correct phrase is entered - by reusing the session ID of a known captcha it is possible to bypass CAPTCHA protected page                                                         
by reusing the session id of a known captcha it is possible to bypass        
+
captcha protected page                                                         
+
 
                                                                                
 
                                                                                
* many captchas can be identified as weak by simple comparison with already 
 
broken captchas (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/,           
 
http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)
 
  
 
<br>
 
<br>

Revision as of 15:30, 28 July 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Contents


Brief Summary

CAPTCHA ("Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used by many web applications to ensure that the response is not generated by a computer. CAPTCHA implementations are often vulnerable to various kinds of attacks even if the generated CAPTCHA is unbreakable. This section will help you to identify these kinds of attacks and propose possible solutions.

Description of the Issue

Implementation of good captcha mechanism can be very efficient against:

  • any enumeration attacks (login, registration or password reset forms are often vulnerable to this kind of attacks - without CAPTCHA the attacker can gain a lot of valid usernames, phone number or any other sensitive informaton in a short time)
  • automated sending of many GET/POST requests in a short time where it is undesirable (e.g. SMS/MMS/email flooding), CAPTCHA provides a rate limiting function
  • automated creation/using of the account that should be used only by humans (e.g. creating webmail accounts, stop spamming)
  • automated posting to blogs, forums and wikis
  • any automated attacks than can gain/misuse sensitive information from the application

Using CAPTCHAs as a CSRF protection is not recommended (becausre there are stronger CSRF protections).

CAPTCHA implementations are often vulnerable to these common attacks:

  • generated CAPTCHA images are weak, this can be identified (without any complex computer recognition systems) only by simple comparison with already broken captchas

(http://www.cs.sfu.ca/~mori/research/gimpy/, http://libcaca.zoy.org/wiki/PWNtcha, http://www.lafdc.com/captcha/)

  • the value of decoded CAPTCHA is sent by client (as a GET parameter or as a hidden field of POST form). This value is often encrypted by simple algorithm and can be easily decrypted by observing of multiple "decoded CAPTCHA" values
  • many CAPTCHA implementations are vulnerable to replay attacks (they do not keep track what ID of CAPTCHA image is sent to the user. Therefore the attacker can simple retrieve

the appropriate CAPTCHA image and it's ID, solve it and send old values of ID and decoded CAPTCHA) put the answer along with the corresponding CAPTCHA ID)

  • many CAPTCHA implementations do not destroy the session when the correct phrase is entered - by reusing the session ID of a known captcha it is possible to bypass CAPTCHA protected page



Black Box testing and example

Gray Box testing and example

References

Definition
http://en.wikipedia.org/wiki/Captcha

Captcha Decoders
PWNtcha - opensource captcha decoder - http://libcaca.zoy.org/wiki/PWNtcha Commercial captach decoder - http://www.lafdc.com/captcha/

Papers
Breaking a Visual CAPTCHA - http://www.cs.sfu.ca/~mori/research/gimpy/