Websecurity - Веб безпека

Next participant of the project is captcha at uaxxi.com. It’s IT and security site and it needs more reliable protection.

This captcha is using at registration page and it’s vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 14.10.2007.

For bypassing captcha you need to use the same picid and piccode values many times (for every post). This is classic MustLive CAPTCHA bypass method.

Insufficient Anti-automation:

uaxxi.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

Next participant of the project is Cryptographp. It is captcha plugin for WordPress. Vulnerable version is Cryptographp 1.2 (and previous versions).

Statistics at wordpress.org said that this plugin was downloaded 6285 times. And taking into account that this plugin also can be downloaded from others sources, so total amount of downloads and sites which use this plugin is much more. So there are many thousands of sites which are in risk with this plugin.

This captcha is vulnerable for session reusing with constant captcha bypass method. This Insufficient Anti-automation hole I found 15.11.2007.

Session reusing with constant captcha bypass method - it is tricky method. For bypassing you need to use the same securitycode value for every post (during current session). And after you’ll see first captcha image, you need to turn off images, so captcha will not be regenerating and you’ll be using the same code many times.

Insufficient Anti-automation:

Cryptographp CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data).

Moral: never make such vulnerable captchas.

Next participant of the project is Live Search’s captcha. Search.live.com is search engine of Microsoft, so it’s star captcha. Microsoft is very experienced developer of vulnerable software .

This captcha is using at Live Search URL Submission page and it’s vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 01.10.2007.

For bypassing captcha you need to use the same h and hip values many times (for every post).

Insufficient Anti-automation:

search.live.com CAPTCHA bypass.html

It is form request (via GET), and here is pure GET request:

http://search.live.com/docs/submit.aspx?h=MVL5Z&hip=E7EAFBA5A5F9446B84F77CDDBDC2B8B6&url=http://site

This exploit for educational purposes only.

Moral: never make such unreliable captchas.

Let’s examine methods of searching for vulnerable captchas. Main tool it is Google hacking - searching for vulnerabilities at sites using Google (this approach can be used and with others search engines). When vulnerable captcha was discovered, than good guys (with purpose to inform about availability of vulnerabilities) and bad guys (with purpose to use these vulnerabilities) can find sites with vulnerable captcha using search engines. So let’s examine ways of using Google hacking for searching for sites with vulnerable captchas of different types: text, logical and image (graphic).

Searching for vulnerable text captchas.

In case of text captchas they can be searched by text, which is near with captchas (via Google Search).

“into the textbox below” - up to 71000 results.

Taking into account that different captchas can use the same or similar text phrases, it’ll be not simple to find specific vulnerable captсha. For more precise results it’s need to specify search phrase.

Resistance: for resistance to this method it’s better to change default captcha’s phrases, then your site will be harder to find by presence of vulnerable captcha. But it’s better to use reliable captchas.

Searching for vulnerable logical captchas.

In case of logical captchas they can be searched by text, which is near with captchas (via Google Search).

“Check this box if you are not a spammer” - up to 12500 results.

Taking into account that different captchas can use the same or similar text phrases, it’ll be not simple to find specific vulnerable captсha. For more precise results it’s need to specify search phrase.

Resistance: for resistance to this method it’s better to change default captcha’s phrases, then your site will be harder to find by presence of vulnerable captcha. But it’s better to use reliable captchas.

Searching for vulnerable graphic captchas.

In case of graphic captchas for searching for sites with vulerable captchas there are two approaches.

1. They can be searched by text, which is near with captchas (via Google Search).

“Please enter the numbers you see below” - up to 39500 results.

This variant is not too precise, because different captchas can use the same or similar text phrases. So it’ll be not simple to find specific vulnerable captсha (but it is possible to search for different ones to find captchas with similar vulnerabilities).

Resistance: for resistance to this method it’s better to change default captcha’s phrases, then your site will be harder to find by presence of vulnerable captcha. But it’s better to not use vulnerable captchas.

2. They can be searched by their image (via Google Image Search).

Let’s view on example of captcha mt-scode:

mt-scode.cgi - up to 3340 results.

inurl:mt-scode.cgi - up to 3270 results.

This variant is more precise, because it’s allow to search for specific vulnerable captсha.

Resistance: for resistance to this method it’s better to change captcha’s filenames, then your site will be harder to find by presence of vulnerable captcha. But it’s better to not use vulnerable captchas.

Розглянемо методи пошуку вразливих капч. Головним іструментом є Гугл хакінг - пошук уразливостей на сайтах за домогою Гугла (даний підхід можна використовувати і з іншими пошуковими системами). Коли виявлена вразлива капча, то хороші хлопці (з метою повідомлення про наявність уразливостей) та погані хлопці (з метою використання цих уразливостей) можуть за допомогою пошукових систем знайти сайти з даною вразливою капчою. Тому розглянемо шляхи використання Гугл хакінга для пошуку сайтів з уразливими капчами різних типів: текстових, логічних та графічних.

Пошук вразливих текстових капч.

У випадку текстових капч їх можна шукати по тексту, котрий є поряд з капчами (через Google Search).

“into the textbox below” - до 71000 результатів.

Враховуючи, що різні капчі можуть використовувати однакові або схожі текстові фрази, буде не просто знайти конкретну вразливу капчу. Для точніших результатів потрібно уточнювати пошукову фразу.

Протидія: для протидії даному методу варто змінювати стандартні фрази капч, тоді ваш сайт буде важче знайти через наявність вразливої капчи. Але краще використовувати надійні капчі.

Пошук вразливих логічних капч.

У випадку логічних капч їх можна шукати по тексту, котрий є поряд з капчами (через Google Search).

“Check this box if you are not a spammer” - до 12500 результатів.

Враховуючи, що різні капчі можуть використовувати однакові або схожі текстові фрази, буде не просто знайти конкретну вразливу капчу. Для точніших результатів потрібно уточнювати пошукову фразу.

Протидія: для протидії даному методу варто змінювати стандартні фрази капч, тоді ваш сайт буде важче знайти через наявність вразливої капчи. Але краще використовувати надійні капчі.

Пошук вразливих графічних капч.

У випадку графічних капч для пошуку сайтів з уразливими капчами існує два підходи.

1. Можна шукати по тексту, котрий є поряд з капчами (через Google Search).

“Please enter the numbers you see below” - до 39500 результатів.

Даний варіант є не дуже точним, тому що різні капчі можуть використовувати однакові або схожі текстові фрази. Тому буде не просто знайти конкретну вразливу капчу (але можна шукати різні, щоб знайти капчі зі схожими вразливостями).

Протидія: для протидії даному методу варто змінювати стандартні фрази капч, тоді ваш сайт буде важче знайти через наявність вразливої капчи. Але краще зовсім не використовувати вразливих капч.

2. Можна шукати по їх зображенню (через Google Image Search).

Розглянемо на прикладі капчі mt-scode:

mt-scode.cgi - до 3340 результатів.

inurl:mt-scode.cgi - до 3270 результатів.

Даний варіант є більш точним, тому що дозволяє шукати конкретну вразливу капчу.

Протидія: для протидії даному методу варто змінювати імена файлів капч, тоді ваш сайт буде важче знайти через наявність вразливої капчи. Але краще зовсім не використовувати вразливих капч.

Next participant of the project is captcha at cgisecurity.com. Which is using at Submit News page and in Contact us form at every page of the site. It’s popular security site and it needs more reliable captcha.

This is text captcha and it is vulnerable for constant value bypass method. I already wrote about text logical captcha, and this is purely textual one. This Insufficient Anti-automation hole I found 19.10.2007.

Constant value bypass method is similar to MustLive CAPTCHA bypass method (the same value is sending many times). I wrote about this method in article MoBiC-03: Peter’s Custom Anti-Spam Image CAPTCHA bypass (in that case it was 10 values captcha and this time it is one value). This captcha has only one value so it can be easily bypassed. There are many captchas vulnerable for this method, image and text, this is textual one. Robert Auger is fun guy, he called it “Cheapest CAPTCHA ever” . Indeed it is cheapest, but also insecure.

For bypassing captcha you need to use the same “value” parameter value many times (for every post): send one the same word at both Submit News page and Contact us form. The most interesting that if you enter incorrect captcha or not enter it at all the message will be send and you’ll see that submission received (but as Robert said he will not receive the message if captcha will not be entered, so it’s better to send captcha’s value).

Insufficient Anti-automation:

cgisecurity.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.

Next participant of the project is captcha at expert.com.ua. Which is using in comment form at every news page of the site.

This is text logical captcha and it is vulnerable for MustLive CAPTCHA bypass method. There are many text captchas (I’ll write about some others text ones) and in this case it’s text logical, because it’s textual with logical task for the user like in logical ones (in this case it’s math task). This Insufficient Anti-automation hole I found 19.10.2007.

For bypassing captcha you need to use the same answer and cupnum values many times (for every post). This is classic MustLive CAPTCHA bypass method, which easily bypass text logical captchas.

Insufficient Anti-automation:

expert.com.ua CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: never make such unreliable captchas.

Continue our talk about last participant of the project - Peter’s Random Anti-Spam Image. It is captcha plugin for WordPress.

This is popular captcha plugin which is using at many sites. So there are many web sites which are in risk with it. Vulnerable version of plugin is Peter’s Random Anti-Spam Image 0.2.4 (and all previous).

This captcha is vulnerable for XSS. As I wrote in article MoBiC-05 Bonus: Google CAPTCHA bypass, there are vulnerabilities in captchas different from Insufficient Anti-automation (and I’ll write about some of them). This Cross-Site Scripting hole I found 03.11.2007.

XSS:

POST query in comment form in comment field:
</textarea><script>alert(document.cookie)</script>

Peter’s Random Anti-Spam Image XSS.html

This exploit for educational purposes only. Don’t use this hole and exploit for malicious purposes.

You need to setup exploit to test it (set site’s URL and others data).

Moral: try to make captchas without XSS holes.

Next participant of the project is Peter’s Random Anti-Spam Image. It is captcha plugin for WordPress. This plugin from the same author as Peter’s Custom Anti-Spam Image and it’s more reliable than previous plugin, but also has vulnerabilities.

This is popular captcha plugin (like Custom Anti-Spam Image) which is using at many sites. So there are many web sites which are in risk with this plugin. Vulnerable version of plugin is Peter’s Random Anti-Spam Image 0.2.4 (and all previous).

This captcha is vulnerable for half-automated method (I’ll wrote about another more serious hole in bonus post). It is one of Advanced MustLive CAPTCHA bypass methods which I described in article MoBiC-05: Blogger CAPTCHA bypass. This Insufficient Anti-automation hole I found 03.11.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). For bypassing you need to use new securitycode and matchthis values for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly). Those who don’t want to work by themselves, can use low cost work force to prepare image-code pairs or use OCR software (even for not real time recognition), and bad guys often use such techniques. Though this method allow personal captcha bypassing without additional resources (work force or OCR).

Insufficient Anti-automation:

Peter’s Random Anti-Spam Image CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data).

Moral: try to make more secure captchas.

P.S.

Also I prepared another vulnerability in Peter’s Random Anti-Spam Image. So wait for today’s bonus post .

Next participant of the project is Digg’s captcha. Digg.com is very popular web site, so it’s star captcha.

This captcha is using at Create an Account page and it’s vulnerable for MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 12.09.2007.

For bypassing captcha you need to use the same captcha and captchaid values many times (for every post). Note, that one captcha image works not long, so you need new image-code pairs periodically.

Insufficient Anti-automation:

Digg CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such insecure captchas.