MoBiC-14: cgisecurity.com CAPTCHA bypass

20:40 14.11.2007

Next participant of the project is captcha at cgisecurity.com. Which is using at Submit News page and in Contact us form at every page of the site. It’s popular security site and it needs more reliable captcha.

This is text captcha and it is vulnerable for constant value bypass method. I already wrote about text logical captcha, and this is purely textual one. This Insufficient Anti-automation hole I found 19.10.2007.

Constant value bypass method is similar to MustLive CAPTCHA bypass method (the same value is sending many times). I wrote about this method in article MoBiC-03: Peter’s Custom Anti-Spam Image CAPTCHA bypass (in that case it was 10 values captcha and this time it is one value). This captcha has only one value so it can be easily bypassed. There are many captchas vulnerable for this method, image and text, this is textual one. Robert Auger is fun guy, he called it “Cheapest CAPTCHA ever” :-) . Indeed it is cheapest, but also insecure.

For bypassing captcha you need to use the same “value” parameter value many times (for every post): send one the same word at both Submit News page and Contact us form. The most interesting that if you enter incorrect captcha or not enter it at all the message will be send and you’ll see that submission received :-) (but as Robert said he will not receive the message if captcha will not be entered, so it’s better to send captcha’s value).

Insufficient Anti-automation:

cgisecurity.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.


Leave a Reply

You must be logged in to post a comment.