Websecurity - Веб безпека

Next participant of the project is Live Search’s captcha. Search.live.com is search engine of Microsoft, so it’s star captcha. Microsoft is very experienced developer of vulnerable software .

This captcha is using at Live Search URL Submission page and it’s vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 01.10.2007.

For bypassing captcha you need to use the same h and hip values many times (for every post).

Insufficient Anti-automation:

search.live.com CAPTCHA bypass.html

It is form request (via GET), and here is pure GET request:

http://search.live.com/docs/submit.aspx?h=MVL5Z&hip=E7EAFBA5A5F9446B84F77CDDBDC2B8B6&url=http://site

This exploit for educational purposes only.

Moral: never make such unreliable captchas.

This entry was posted on 23:46 15.11.2007 and is filed under MoBiC. You can follow any responses to this entry through the RSS 2.0 feed.