Websecurity - Веб безпека

Next participant of the project is captcha at thepoorhouse.org.uk. Which is using in comments form at the site.

This is text logical captcha (it’s also ask math question like Math Comment Spam Protection plugin) and it is vulnerable for Content analysis CAPTCHA bypass method. This Insufficient Anti-automation hole I found 20.10.2007.

For bypassing captcha you need to use new captcha_response and captcha_token values for every post. Which can be achieved by using content analysis. This captcha use one-time tokens, so you need new token for every post and it can be retrieved similar to captcha token bypass method. But you also need to answer every time at new captcha, so only new token is not enough. It is one of the most reliable text logical captchas (which I found on current time), but it can be bypassed by content analysis.

In Content analysis CAPTCHA bypass method you retrieve new token and math question for every post. After that math question will be automatically analysed and result will be found. Then captcha answer and token will be used for bypassing. This method is similar to OCR in graphic captchas, but for text ones it’s more simple and effective.

Insufficient Anti-automation:

thepoorhouse.org.uk CAPTCHA bypass.txt

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: try to make better captchas.

This entry was posted on 22:50 24.11.2007 and is filed under MoBiC. You can follow any responses to this entry through the RSS 2.0 feed.