RE: [WEB SECURITY] Fake Captcha Protection

["Chris Weber \(Casaba Security\)" <chris@xxxxxxxxxxxxxxxxxx>]

You've pointed out a very important design aspect of Captcha's - they should prevent replay and reuse attacks.  This should be well-known to app security people.  Although I don't follow your question too well.  Are you asking how many Captcha's have been defeated?  I haven't been following too close but think this might still be a good reference for that:  http://libcaca.zoy.org/wiki/PWNtcha  If you're really asking the number of bad guys who've defeated them, well I know at least two, and might guess 13 total.

Chris
â


-----Original Message-----
From: The Burmese Hacker [mailto:hacker.ak@xxxxxxxxx] 
Sent: Tuesday, April 29, 2008 4:29 AM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Fake Captcha Protection

Hello all

A lot of web sites are using Fake Captcha Protection which can be
defeated by "Replay" Attack.
Recently, I found this hole in Ning.com, a growing social network site.

How many bad guys have defeated those?

Some captcha creation tutorials are also vulnerable to 'Replay' attack.
Newbie developers are mis-using them in their applications.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]