CAPTCHA (“Completely Automated Public Turing Test to Tell Computers and Humans Apart”) is a form of challenge-response test that is used by many websites to guarantee that the response was not created by a computer. Even though the produced CAPTCHA is impenetrable, CAPTCHA systems are frequently vulnerable to numerous types of attacks.
These flaws are rather widespread in many CAPTCHA implementations:
- The created picture CAPTCHA is poor; it can only be detected (without the use of complicated computer recognition systems) by a simple comparison with previously cracked CAPTCHAs.
- CAPTCHA questions that are created have a very restricted number of viable responses.
- The client sends the value of the decoded CAPTCHA (as a GET parameter or as a hidden field of POST form). This number is frequently: encrypted using a basic method and readily decrypted by watching numerous decoded CAPTCHA values; or hashed using a weak hash function (e.g., MD5) and easily cracked using a rainbow table.
- Replay attacks are possible since the program does not keep track of which CAPTCHA picture ID is provided to the user. As a result, an attacker can simply obtain an appropriate CAPTCHA image and its ID, solve it, and send the value of the decoded CAPTCHA with its corresponding ID (the ID of a CAPTCHA could be a hash of the decoded CAPTCHA or any unique identifier) or the application does not destroy the session when the correct phrase is entered – by reusing the session ID of a known CAPTCHA, it is possible to bypass CAPTCHA protected page.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.