MoBiC-09: opennet.ru CAPTCHA bypass

22:41 09.11.2007

Next participant of the project is captcha at opennet.ru. Which is using at guestbook page of the site. This is news site with security related and others news.

This captcha is vulnerable for Advanced MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 04.09.2007.

Advanced method consist of main MustLive CAPTCHA bypass method and bypassing of anti CSRF protection (referer checking). For bypassing captcha you need to use the same ec and sc values many times (for every post). Note, that one captcha image works not long, so you need new image-code pairs periodically. For bypassing anti CSRF protection you need to spoof the referer.

Insufficient Anti-automation:

opennet.ru CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.


Leave a Reply

You must be logged in to post a comment.