3

I have a web application I am doing a security assessment on and it uses captcha for both the login and for certain operations inside the app. The interesting thing is that this particular app displays the text of the captcha right under it (users complained, so...), so it would be feasible to rig something up to read the captcha text and use that, enabling the scan to be automated. Can anyone point to a resource that would help me script this? I use IBM appscan and Burp Suite.

Without that text, though, I'm limited to hand testing. Would it be fair to say that these captcha makes the app immediately more secure because it is resistant to automated scans?

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • 1
    Ask the devs for a non-captcha version of the site for testing? That's what I do. – schroeder Jul 09 '14 at 14:54
  • good answer, In this case, the turn-around time for such a change... I don't want to think about it. – mcgyver5 Jul 09 '14 at 14:58
  • 2
    Not sure I'd go the non-Captcha route, if there's alternatives. The Captcha component itself may have vulnerabilities which your scan will miss when it's removed. Also, you do realize that by putting the Captcha into machine-readable text on the page you've effectively defeated its entire purpose - don't you? – Iszi Jul 09 '14 at 15:25
  • just to be clear, I did NOT put the captcha into machine - readable text! I'm just assessing the app and that feature will be included in my report. – mcgyver5 Jul 09 '14 at 16:23

2 Answers2

4

In your question, you mention that the app displays the text of the captcha right under it. If you mean that the correct answer to the captcha challenge is displayed to the user as text in addition to its display in an image, then it should be a simple matter to script an automated scan. Your script would be able to complete the login process by reading the text of the captcha answer from the web page, and then providing that answer in the proper field.

I haven't used the tools you're using, so I'm not familiar with scripting capabilities that they might provide. But in Python, you could use urllib to implement this capability. In Perl, you could use LWP.

In my opinion, using a captcha can reduce some risks in a web application, especially risks related to a new-user enrollment process being abused by automated (non-human) clients. It could help as a part of a login form for existing users, but to a lesser extent. A well designed login form should protect itself from brute force login attempts, even wihthout a captcha (for instance, by limiting the number of failed login attempts possible in a given time period for the same user account or client IP address).

And of course, displaying the answer to a captcha challenge in text pretty much removes the usefulness of having a captcha to begin with. At that point, the implementation is inconveniencing the user while providing no security benefit.

Mox
  • 189
  • 3
  • 1
    +1 for the last paragraph. Rest of it's good too, but I think that last part really needs to be emphasized here. – Iszi Jul 09 '14 at 15:28
0

The best solution as pointed out by @schroeder is to use a non-captcha version of the website to run your scans.

To answer your question, yes Captcha is used to prevent automated bots from accessing your website, so I would say it makes it some degree of more secure.

This may be a little more work intensive but is it possible to manually work your way past the captcha and then point your tools at the website once you have gotten through?

PseudoNym01
  • 101
  • 3
  • besides the login, certain functions inside the app also have captcha (with the same user-friendly (?) text with the correct answer right below the captcha image. – mcgyver5 Jul 09 '14 at 15:24
  • Ouch, yeah you're about as bot proof as can reasonably be expected I think. – PseudoNym01 Jul 09 '14 at 19:37