Vulnerability?

Sep 24, 2009 at 1:00 PM
Edited Sep 24, 2009 at 1:00 PM

Hi,

Just had a quick look at the MyCaptcha demo that's included with the download. It appears as part of the HTML source, you print out the CAPTCHA answer.

 

<img style="border-width: 0px;" src="GetImgText.ashx?CaptchaText=FFFF0" id="MyCaptcha1_ImgCaptcha"/>

 

And the handler produces an image with the text FFFF0. This appears to be pretty vulnerable to bots, might be an idea to encrypt the CaptchaText parameter or figure out a better way of accessing it from the handler.

Andrew

Coordinator
Oct 20, 2009 at 8:43 PM
Edited Oct 20, 2009 at 8:43 PM

Hi Andrew,

Thanks for the comment. I made some modifications in the source code of MyCaptcha so that the Captcha answer is encrypted now. There are some other improvements in the source code and features.

 

Thanks

Aref Karimi

Jun 6, 2011 at 1:39 PM

Hi, this is a great tool! Quick comment:

Keeping the generated code in the ViewState makes easy to create a mockup form with the same hidden value and get a valid response:

        <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTA0ODQ5NDc5NQ9kFgICAw9kFgICBQ8PFgIeC2NhcHRjaGF0ZXh0BQVTMkozTGQWAgIBDw8WAh4ISW1hZ2VVcmwFTEdldEltZ1RleHQuYXNoeD9DYXB0Y2hhVGV4dD1zV1ZoJTJiWUFOUVpIcUNZOFRIWlRyWVNMY2NoTGFFb0hGempLRmhTME8xZzglM2RkZGQquEO9tPP8AQLO3N1aypb/qpwqYA==" />

Changing this to something else, let's say a Session variable, will avoid form a different session to get a code validated.

Also cleaning this variable after a validation was made will help.

Regards,

Sebastian