|
|
|
Insure yourself from spam! The Anti Spam Insurance Company - ProtectWebForm!
Forum - Security issue
mwoods |
2008-01-15 05:21:39 |
|
Hi, I have successfully added the CAPTCHA to my site (PHP), but during
testing, have noticed what appears to be a security issue.
It appears that using your CAPTCHA, i can keep refreshing the image
easily (a good thing, of course!), but I can then submit any one of
the previous image codes to gain entry. The same goes for incorrect
attempts.
i.e. I can request a CAPTCHA image, that may have the code "123456". I
can then continue guessing this code to my hearts content (regardless
of the fact that I display a new CAPTCHA image after each attempt),
until I guess "123456" correctly. It seems that your verification
server builds a list of acceptable verifications from each request IP,
and only clears this list down upon a successful verification. Should
the list not be cleared down after EVERY verification attempt,
regardless of success or failure?
Kind Regards,
Mark |
|
I know there is such a situation.
When I store the requested code I store the remote ip address.
Currently I didn't see attacks of this type, but solution I was
planning was:
to increase image-response time exponentially.
E.g. when you (with custom) ip address query image, the service adds
sleep(exp(2, attempt)) before storing code in the DB.
This will reduce the risk of multiple image queries.
If you think this is critical for your service/site, I can add this
feature in near future. |
mwoods |
2008-01-15 06:01:39 |
|
It is not critical, no, since a reasonable amount of traffic to our
site should resolve the issue in itself (with a successful login
clearing down the image list).
A solution to the problem would be a nice feature, though, to increase
the level of security, and the need for generating longer security
codes.
However, in the proposed solution, I'm assuming that the custom ip
will need to relate to the client on our side, and not our server's
ip? Reason being, that we wouldn't want an attacker compromising our
login screen, simply by making numerous incorrect attempts, and
pushing the exponential image request time up high for everyone using
our site.
Kind Regards,
Mark |
|
> client on our side, and not our server's
ip
yes, sure.
And there is also ttl (time to live for the image ) = 30 minutes
so, if you have 6 numbers alphanumeric image this will produce you
approx
40 pov 6 = 4096000000 image variants
this means that an attacker must request the site: 4096000000 / 60 *
30 = 2275555 per second to get an image.
Imagine he creates the 1000 (really high performance server) requests
per second, this is 275 times hi must try this service to guess the
code.
This is 275 hours = approx 10 days.
I could have make a mistake in my calculations, but seems to smth.
like this.
Oleg. |
mwoods |
2008-01-15 08:32:15 |
|
Ah, I didnt realise there was the 30 minute timeout.
Thank you for your quick replies.
Kind Regards,
Mark |
Post Reply:
You must be logged in to reply.
|
Post message
|
Registered users: 87650
Forms protected: 48551
Further Reading & Anti Spam Resources:
Directory
|
|