Professional Documents
Culture Documents
Who Am I
Principal Consultant with Foundstone McAfee Tools (TesserCap, SSLSmart, and many internal) Security Research, Web Applications, Networks, Mobile Applications. and more Ruby, C#, Rails
Research Scope
200+ CAPTCHA schemes analyzed Scores of Websites for Implementation Known OCR Engines for Classification Custom Image Preprocessing Register User Pages Recover Account/Password Pages Contact Us and Feedback Pages
CAPTCHA Schemes
CAPTCHA Implementations
Server
<html> ... <img src=/captcha.php> </html> 3 4 GET /captcha.php + SESSIONID Return the CAPTCHA 6
8
Verify solution
9
www.foundstone.com 2010, McAfee, Inc.
From Here On
Arithmetic CAPTCHAs
CAPTCHAs are not generated at runtime Limited number of CAPTCHAs CAPTCHAs are assigned static index values to be referenced for verification and assignment Observations
One of the most popular implementation Seen On very high traffic websites
www.foundstone.com 2010, McAfee, Inc.
CAPTCHA
Solution
95C7A 58413 9D3BF 49F1C ABB87
CAPTCHA
Solution
95C7A 58413 9D3BF 49F1C ABB87
CAPTCHA
Solution
95C7A 58413 9D3BF 49F1C ABB87
Server
3
5
Use the Identifier to retrieve CAPTCHA solution + Verify solution
Server
Server
Persistent CAPTCHAs
Same CAPTCHA was returned for any number of registration attempts CAPTCHAs can be brute-forced
Server
2 Create a
random CAPTCHA.
CAPTCHA
3
Set CAPTCHA solution in HTTP Session
7 Clear CAPTCHA
state or SESSION
Server
2 Create a
random CAPTCHA.
CAPTCHA
3
Set CAPTCHA solution in HTTP Session
7 Clear CAPTCHA
state or SESSION
OCR 1
OCR 2
rGsyg
r[G6]sy[g9]
r6sy9
r6syg
www.foundstone.com 2010, McAfee, Inc.
Solve CAPTCHA with an OCR Bruteforce characters over the sample space Continue. Or better refresh SessionID for a new CAPTCHA!?
www.foundstone.com 2010, McAfee, Inc.
The Victims
TesserCap Introduction
Retrieve CAPTCHA
HMLR
TesserCap Demonstrations
Spatial Filters
This Image: Digital Image Processing, Second Edition By Gonzalez and Woods
www.foundstone.com 2010, McAfee, Inc.
This Image: Digital Image Processing, Second Edition By Gonzalez and Woods
www.foundstone.com 2010, McAfee, Inc.
TesserCap Results
CAPTCHA Provider
Captchas.net Opencaptcha.com Snaphost.com Captchacreator.com www.phpcaptcha.org webspamprotect.com ReCaptcha
Accuracy
40-50% 20-30% 60+% 10-20% 10-20% 40+% 0%
TesserCap Results
Website
Wikipedia Ebay Reddit.com CNBC Foodnetwork.com Dailymail.co.uk Megaupload.com Pastebin.com Cavenue.com
Accuracy
20-30% 20-30% 20-30% 50+% 80-90% 30+% 80+% 70-80% 80+%
Quantcast Rank
7 11 68 121 160 245 1000 32,534 149,645
Server
2 Create a new
**SESSIONID
3 Create a new
CAPTCHA with Random Text
4 CAPTCHA + **SESSIONID 6 5 7
Set CAPTCHA solution in HTTP Session Verify the CAPTCHA Clear CAPTCHA state or HTTP SESSION
8 9
Queries
Thank You!
Gursev Singh Kalra (@igursev) gursev.kalra@foundstone.com http://gursevkalra.blogspot.com http://blog.opensecurityresearch.com
www.foundstone.com 2010, McAfee, Inc.