MoBiC-01: learnwpf.com CAPTCHA bypass
22:47 01.11.2007Month of Bugs in Captchas has started.
The first participant of the project is captcha at learnwpf.com. Captcha bypassing is Insufficient Anti-automation type of vulnerabilities and they are widespread as I’ll show you this month.
This captcha is vulnerable for two methods of bypassing. These Insufficient Anti-automation holes I found 15.10.2007.
1. Guessing from URL bypass method.
This captcha use very simple algorithm for generating text on image - it’s use GET variable for the script. So in content of the page program automatically can find correct answer for captcha.
Image: http://learnwpf.com/Captcha.ashx?txt=3XSWC
Answer: 3XSWC
I find such captchas periodically. It’s very not serious type of captchas.
2. MustLive CAPTCHA bypass method.
I’ll make article about this method. In a word, you can use the same captcha’s code many times. This site use ASP.NET, so you need to bypass (bult-in) CSRF protection also. For this you can use the same __VIEWSTATE and __EVENTVALIDATION values. This is Advanced MustLive CAPTCHA bypass method (when using main method with bypassing additional CSRF protection).
In this case no need for guessing, just use my advanced method to hack this captcha.
Insufficient Anti-automation:
learnwpf.com CAPTCHA bypass.html
Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.
Moral: never make such captchas.
Вівторок, 13:36 13.11.2007
I didn’t write the code learnwpf runs on - it was written by my friend Darren Neimke as part of his “single user blog” project. It is a deliberately naive implementation that (until I was featured on your site) has been very effective in blocking comment spam. Captcha doesn’t have to be very sophisticated to be effective http://www.codinghorror.com/blog/archives/000712.html
Вівторок, 17:54 13.11.2007
Joseph
Captcha at your site is very unsecure (it is vulnerable for two methods of bypassing as I wrote). So you and Darren need to develop new (or remade current) more secure one. In any case use only reliable captcha at your site.
It was temporary that your captcha was effective in blocking spam. Untill spammers would make solutition for your specific captcha or made advanced bot which will be bypassing all captchas with such holes. And it will not save from direct attack by bad guys. It’s vulnerability if you have no or poor anti-automation protection at your site. And I’m informing you and whole Internet community about such vulnerabilities.
Captcha must be secure, to be effective (from spammers and others bad guys). As I wrote in comment, there are three types of bypassing: work force, OCR and insecure implementation (vulnerabilities). In my Month of Bugs in Captchas I’m talking only about vulnerabilities in captchas.
Besides, captcha at codinghorror.com is vulnerable for constant values bypass method (this captcha has only one value). They also need more reliable captcha.
Середа, 01:10 14.11.2007
I look forward to seeing how you go about breaking my new CAPTCHA
Середа, 17:25 14.11.2007
OK, Joseph, I’ll look at your new captcha.
Середа, 19:31 14.11.2007
Joseph
As I looked at your new captcha and tested it, I can establish that your captcha still vulnerable.
It’s good that you remade your captcha. Main object of my project Month of Bugs in Captchas is to inform web developers and Internet community about vulnerabilities in captchas, and to push web developers to make more secure captchas (to remake current or to make new ones). So you did that you need to do. And now your captcha not vulnerable for one of two bypass method. But it’s still vulnerable.
Like I wrote in my article, your captcha is vulnerable for two methods: Guessing from URL bypass method and MustLive CAPTCHA bypass method (Advanced version). You fixed first bypassing method in you captcha, but there is the second. So the same exploit is still work (because it was made with second bypass method). As I wrote, better to use not first method (guessing), but my advanced method to hack this captcha (which shown in the exploit). And this method easily bypass your new captcha, like old one - it’s very effective method.
So you need more reliable captcha.
P.S.
Joseph if you continue to talk unserious things about me and my site (especially vulgar things, like in your new captcha), I’ll stop speaking with you - to not waste your time, nor my time. So try to be serious man.
Середа, 20:15 14.11.2007
I’m somewhat suspicious of the level of automation you’re achieving because of the times that these comments were posted - they’re all between 10 and 20 seconds apart. I will totally concede that my previous CAPTCHA implementation was “breakable” (or maybe even broken by design) - for all I know this one could also be, but I think it’s put-up-or-shut-up time for you guys. All I’ve seen from you so far is a link to a form on my site with some pre-populated values (it looks like from the state of the form that it has just attempted an HTTP POST which has failed….funnily enough because of an invalid CAPTCHA). This would be totally trivial in WatiN/R, greasemonkey or whatever. I’d like to see from them one of the following:
1. a textual description of how either the CAPTCHA can be bypassed altogether, or how the CAPTCHA value can be programmatically determined from the page/cookies/http traffic/phase of the moon/whatever - like “we take this value from the cookie your site sets, do an MD5 hash of it, salt the hash and then smoke it….”
2. a script that will post comments to my site with no human intervention
3. 50+ comments on a single page inside of 10 seconds, or some number that would be infeasible for a human to do, originating from a single IP address.
Unreasonable?
Середа, 20:50 14.11.2007
> Joseph if you continue to talk unserious things about me and my site
> (especially vulgar things, like in your new captcha), I’ll stop speaking
> with you - to not waste your time, nor my time. So try to be serious
> man.
I assure you I’m taking this seriously - otherwise why would I have taken the time to change my implementation? As for my new CAPTCHA…fsck is a unix command, I can’t imagine what you were thinking about. In all seriousness though, posting spam to my site does annoy me a little. If you’re going to do stuff like that at least expect a little push back.
Неділя, 23:32 18.11.2007
Joseph, it is good that you taking this serious (but it can be more serious). I am glad that you improved your captcha (fix one of two vulnerabilities). And as I see you are interested (slightly, but still interested) in additional improving of your captcha. For this time only four man (including you) from participants responded me (those people who more seriously attend to security of their sites).
About fsck command. It is good that you like this system utility, but the phrase which you used in your new captcha looks provoking for me. So it’s better to not use such phrase.
Man, I was not spamming at your site. Only informed you about the hole and made some test posts to test captcha bypass methods (for 1st and 2nd versions of captcha). It’s sad to hear that my posts with alert about holes in your captcha and time which I spent to inform you was count by you as spam. From my side was no spam activity.
So before we continue to speak about your captcha you need to do the next required steps:
1. Become more serious - this mean that you must stop saying userious things about me and my site (stop blaming me in those things which I didn’t do).
2. Make excuses about blaming me as spammer - which I am not (never was occupied with such activity).
3. Remove “fsck phrase” from your new captcha.
It’s quite possible. But, Joseph, before we continue you need to do aforesaid required steps. It is better to respect other’s time.
Середа, 13:38 28.11.2007
OK, I take back the spammer part - I don’t know what IP address(es) you’re coming from so I don’t/didn’t know if it was you or not. I’ll remove the fsck thing next time I redeploy my site (which if you can punch a hole in my CAPTCHA will be soon, to remove the capability to leave comments altogether). I don’t see how I can become “more serious”.