OWASP TOP 10: Insufficient Attack Protection #7 – CAPTCHA Bypass
SecureLayer7 Gratis PenTest Summer 2017
February 26, 2017How are work, life and things at SecureLayer7
July 11, 2017
What is CAPTCHA?
CAPTCHA is an acronym for “Computer Automated Public Turing test to tell Computers and Humans apart”. It is used to determine whether or not the user is human.
Many times, a CAPTCHA is an image. A human has to solve it using the challenge response system. A human can usually read it without too much difficulty. Figure below is an example of a CAPTCHA. The user has to prove that he is not a robot by writing the characters of image as an answer to the CAPTCHA. If it is correct, then the application accepts the action (login, registration, forgot password). If the answer is wrong then the user is stopped at that point and is presented with a new CAPTCHA until he answers correctly.
Let us know the importance of CAPTCHA:
Protecting against authentication related attacks:
There are certain functionalities that are needed to be protected against brute force attacks. For example:
- Login: Account takeover can be performed by guessing right credentials.
- Forgot password: Username enumeration can be performed if the web app responses with a verbose message stating that the account exists or not.
- Registration: Fake accounts can be created. Also username enumeration can be performed because no application will allow two users to choose same username.
Avoiding SPAM and DOS:
Some functionalities require users to submit form and it is later approved by the site administrator. Examples of such are: apply for a membership, contact us, feedback form, survey etc. These need to be well protected against bots. If not then it will lead to:
- Fake requests creation: Fake requests will be created that will cause overhead for the site administrator. The site admin will need to go through forms submitted by bots and humans both, so the legitimate users will be denied of service and he himself will also be denied of service.
- Email bombarding: Some functionalities send email to an arbitrary email address. These are also often targeted if not well protected by CAPTCHA. Thus an attacker can, on behalf of the web app, send numerous emails to internet users.
Protection against bots that do data mining:
Certain sites which contain very large amount of data are vulnerable to from data mining attack. They need to protect themselves from such abuse and need a CAPTCHA implementation. Example of such sites: social networking and search engines.
Why does the CAPTCHA get bypassed?
CAPTCHA is bypassed due to two reasons:
- Design Issues
- Implementation Issues
In this blog, we will witness design and implementation issues. We will also see how to crack them, why they are vulnerable and how we can make a secure CAPTCHA.
Design Issues:
The design issue means that the CAPTCHA design is weak in nature but there is nothing wrong with its implementation. Following demonstrations will help us understand what a design issues really is and how it can be cracked:
Design Issue # 1:
The CAPTCHA is nothing but an arithmetic operation that the user needs to perform. The mathematical question is in the HTML source code of the page on which CAPTCHA is presented.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/ArithmeticCAPTCHA
How to crack it?
All the attacker has to do in this case is to fetch the source code, compute the answer and submit the HTTP Response to crack the CAPTCHA.
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
Design Issue # 2:
The CAPTCHA has a limited database of questions. It is an image based CAPTCHA which cannot be cracked by reading the HTML source code and then computing answer and submitting it. But the problem lies in the limited number of questions. In the below CAPTCHA, there are only 10 challenges that keep on iterating, thus making itself vulnerable.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/TenRepeatedCAPTCHA
How to crack it?
The attacker has to manually once solve the 10 CAPTCHA questions. and at the same time has to note down answers to corresponding questions. After that, a tool can be made to keep on cracking them constantly. The tool fetches the questions looks for the answer in its own database and then cracks it.
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
Implementation Issues:
The implementation issues means that the CAPTCHA can be cracked due to weak implementation, but it is perfect from design point of view.
Following demonstration will help us understand what an implementation issues really are and how they can be cracked:
Implementation Issue # 1:
In demo, we are using Google reCAPTCHA. We use an API that sends the response of CAPTCHA solved by user to Google’s endpoint. More about it here: https://www.google.com/recaptcha/intro/index.html . The API replies to the request in the form of JSON output. Along with a HTTP Status code. So far so good !!
But the implementation issue arises here because the developer fails to check the JSON response, but instead of that he checks the HTTP Status code which is sent as 200 OK for correct and incorrect CAPTCHA responses both.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/blob/master/GooglereCAPTCHA/weakcaptcha1.php
Note: The above scenario was a bug submitted by me in a bug bounty program. It was accepted and security team told me that they implemented their CAPTCHA in this particular way i.e. they only checked the status code and not the JSON response. 🙂
How to crack it?
The attacker simply has to make a script that will send any value to CAPTCHA and the server will accept it because no matter what the answer you sent, the server will only check whether the status code sent by Google API is 200 OK or not (It will be always 200 OK 🙂 ). In the below image, the value we are sending as answer is ‘InvalidAnswerOfCAPTCHA’
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
Implementation Issue # 2:
The CAPTCHA is present on the web page, but after it has been submitted, it is validated but a simple mistake in if and else clause makes it vulnerable. The mistake is that the developer writes a positive response code in the else part also. So even if the CAPTCHA answer is wrong the application will give positive response to the user.
You can download this CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/blob/master/GooglereCAPTCHA/weakcaptcha2.php
How to crack it?
The attacker simply has to make a script that will send any value to CAPTCHA. In the below image, the value we are sending as answer is ‘InvalidAnswerOfCAPTCHA’
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
Implementation Issue # 3:
The CAPTCHA is present on the web page, but after it has been submitted, it never validated on the server side.
You can download this CAPTCHA code from here:
How to crack it?
So, by simply entering wrong CAPTCHA answer and an arbitrary value of email, an attacker can bypass it.
You can download the exploit code for this here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/tree/master/CaptchaExploits
How to protect ourselves from CAPTCHA attacks?
The solution to this is very simple. Follow these steps in making a strong CAPTHCA functionality:
- Design: Implement a CAPTCHA which is good in design. We have seen how self made designs can be vulnearble. So use a third party CAPTCHA service provider like Google.
- Implementation: After you have chosen a CAPTCHA with good design, the next step is to implement is correctly. We have seen that in spite of have a CAPTCHA with good design, it can still be cracked if not implemented correctly. If you are using Google reCAPTCHA then follow these steps:
- Do not check the validity of answer by HTTP Status code, instead check the JSON response sent by Google.
- Implement proper logic in if and else clause which differentiates between valid and invalid answers.
- Do not disclose your private CAPTCHA key. It is a secret.
You can download the secure CAPTCHA code from here: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script/blob/master/GooglereCAPTCHA/goodcaptcha.php
Takeaways from this blog:
It is a business requirement to have CAPTCHA on certain functionalities. If CAPTCHAs are insecure, then this can lead to extraction of sensitive data using tools, attack on authentication, DOS to user and admins. All this will result in reputation loss for the site owner. In order to set a right CAPTCHA, have a CAPTCHA which has a good design and implement it well.
Github link for all the scripts: https://github.com/securelayer7/Captch-Bypass-Vulnerable-Script
