Paul Alkema

Discussions on Web Development and Security

Paul Alkema

One of The Worst Security Holes in CAPTCHA's and How You Can Fix Them.

April 23, 2010 · 53 Comments

There have been several occasions where people have used security holes in CAPTCHA's to purchase large amounts of specific items like tickets or other items. Is this wrong to do? I would say yes. In this article I'm going to teach you how to manually take advantage of this security hole and what you can do to prevent it for happening.

The first steps to understand the issues with most CAPTCHA's is to understand how they work. The way that most CAPTCHA's are as follows

  1. A random word(s) or alpha numeric string is generated
  2. This string is rendered into an image which displays to the users, and the user is prompted to input the text they see in the image. In ColdFusion many times people will use the CfImage attribute action="captcha".
  3. The string is then usually encrypted and placed into a hidden form element that's located inside of the submitting form.
  4. After submitting the form, typically the text that the user entered is encrypted using the same type of encryption as the randomly generated string.
  5. Finally, the encrypted user entered string is compared to the encrypted randomly generated string. If they match, than the user isn't a bot, if they don't, than the user is a bot.

This method, is either the exact method or extremely similar to how most CAPTCHA applications are written. You may be wondering what the issue with this is. I think that most people think, wow because I'm encrypting all of my strings and my CAPTCHA is so hard to read that your CAPTCHA is fool-proof. The reality is this type of CAPTCHA only stops one type of spammer.

There are three types of spammers.

  1. Automated Spam Bots. An automated spam bots written on a large scale that normally posts random spam on random sites by crawling from site to site.
  2. Manual Bots. A small application written with the intent to do one purpose, for one web site.
  3. Manual Human Spam. Usually a paid human with the intent to spam a single or multiple sites.

The above method stops most Automated Spam Bots, but not all of them. The security issue that I'm pointing out today has really more to do with manual bots and how easy it is to write one. Please note, that the reason that I am helping you to write this is in absolutely no way to help anyone under any circumstances to hack, spam or do anything illegal in any way. It's for informational purposes, so that the web development community can better understand how to prevent this type of issue.

How to Write a Manual Bot

  1. First go to the web page that has the CAPTCHA that you would like your bot to get through. Note the action page that the form submits to0. You can take note of this by viewing the source code.
  2. Fill out the form completely as if you were to submit the form including the CAPTCHA text.
  3. Note all of the form field names including the hidden fields and record all of their values.
  4. Write a small script that allows you to send those HTTP form elements with the values recorded to your web page's action page. I know I make it sound easy, but that's because at least in ColdFusion it is easy.

I have a test page with an example page with a typical CAPTCHA. HERE.

When I fill out the form in my example CAPTCHA page above and I take note of the form elements and values this is what I get.

EXAMPLE
Action
http://paulalkema.com/assets/content/unsuspecting-page.cfm
Form
submitted=1
captcha_check=6501AA9BA0B073BC (this contains the encrypted version of the captcha.)
captcha=h7eunmjq (This was blank before, but I manually entered this as a value.)

Now that we have this data recorded you can build a script that could do this dynamically.
CODE EXAMPLE

    <cfhttp 
        url="http://paulalkema.com/assets/content/unsuspecting-page.cfm" 
        method="post">
        <cfhttpparam 
            name="submitted" 
            type="FormField" 
            value="1">
        <cfhttpparam 
            name="captcha_check" 
            type="FormField" 
            value="6501AA9BA0B073BC">
        <cfhttpparam 
            name="captcha" 
            type="FormField" 
            value="h7eunmjq">
    </cfhttp>
    <cfoutput>
        #cfhttp.FileContent#	
    </cfoutput>

The above code would submit all of the form variables to my action page, where my action page would then except that I'm not a bot. I have an example of the exact script above working HERE.

You may be a little skeptical that someone would actually go out of their way to do this to spam your site and you very well may be right, but the reality is that someone could do it. In March 2010, 4 people were indicted for using a script to simultaneously buy thousands of concert tickets through an automated script similar to this.

How to Prevent It

So what do you do to prevent it? I think the primary issue with the above technique is that your sending a generated encrypted version of your CAPTCHA and comparing it to a user typed version of the CAPTHA and if you write a script that can resend this information, the script can be run repeatedly and the action page. Solution? Send the generated encrypted version of your CAPTCHA through server side variables. If your using ColdFusion a possible solution would be to send your the generated encrypted version of your CAPTCHA through session variables..

SEO: Coldfusion, Captcha, Cfhttp, Issues With Captcha, Hack Captcha, Captcha Security

Tags: ColdFusion