Attacking CAPTCHAs for Fun and Profit

Gursev Singh Kalra APPSEC DC | April 4, 2012

Who Am I

Principal Consultant with Foundstone McAfee Tools (TesserCap, SSLSmart, and many internal) Security Research, Web Applications, Networks, Mobile Applications. and more Ruby, C#, Rails

www.foundstone.com 2010, McAfee, Inc.

Research Scope
200+ CAPTCHA schemes analyzed Scores of Websites for Implementation Known OCR Engines for Classification Custom Image Preprocessing Register User Pages Recover Account/Password Pages Contact Us and Feedback Pages

Quantcast Top 1 Million

CAPTCHA Schemes

CAPTCHA Implementations

www.foundstone.com 2010, McAfee, Inc.

CAPTCHAs: More Than Just the Image

Client
1 GET /register.php

Server

<html> ... <img src=/captcha.php> </html> 3 4 GET /captcha.php + SESSIONID Return the CAPTCHA 6

Create a 2 SESSIONID for the current registration request

Generate a random CAPTCHA and store in HTTP Session

POST /verify.php + CAPTCHA Solution + Form Fields 7

8
Verify solution

9
www.foundstone.com 2010, McAfee, Inc.

From Here On

Breaching the Client Side Trust

Server Side Attacks

Attacking CAPTCHA Schemes with TesserCap

Lets Play Nice

www.foundstone.com 2010, McAfee, Inc.

Breaching the Client Side Trust

www.foundstone.com 2010, McAfee, Inc.

Hidden Fields, Client Side Storage and More

www.foundstone.com 2010, McAfee, Inc.

Hidden Fields, Client Side Storage and More

www.foundstone.com 2010, McAfee, Inc.

Arithmetic CAPTCHAs

www.foundstone.com 2010, McAfee, Inc.

Server Side Attacks

www.foundstone.com 2010, McAfee, Inc.

CAPTCHA Rainbow Tables

Implementation Flaws

CAPTCHAs are not generated at runtime Limited number of CAPTCHAs CAPTCHAs are assigned static index values to be referenced for verification and assignment Observations
One of the most popular implementation Seen On very high traffic websites
www.foundstone.com 2010, McAfee, Inc.

CAPTCHA Rainbow Tables

Attacking Static CAPTCHA Identifier
Numeric Identifier
0 1 2 3 4 ... 99999 D498A

CAPTCHA

Solution
95C7A 58413 9D3BF 49F1C ABB87

www.foundstone.com 2010, McAfee, Inc.

CAPTCHA Rainbow Tables

Attacking Static CAPTCHA Identifier
Alphanumeric Identifier
uJSqsPvjxc6 9WzrowjPEqI nm8SfvtEwpP fespW5LVqNQ dgLSB1CKJRJ ... QmJF3TQazcH D498A

CAPTCHA

Solution
95C7A 58413 9D3BF 49F1C ABB87

www.foundstone.com 2010, McAfee, Inc.

CAPTCHA Rainbow Tables

Attacking Dynamic CAPTCHA Identifiers
CAPTCHA MD5
68ecb8867cd7457421c2eca3227bffbd 84a78d24bc9637fcfb152f723b6e8e27 84125db583d64c346d97a74fa9e53848 C6a1ed9477846568cdea62c97e389811 E9fa81f69debe45bded7bba4743a8a23 ... B9df819f6174d6577661e12859226366 D498A
www.foundstone.com 2010, McAfee, Inc.

CAPTCHA

Solution
95C7A 58413 9D3BF 49F1C ABB87

CAPTCHA Rainbow Tables

Dynamic Identifiers and Changing Images

Write your custom solvers!

www.foundstone.com 2010, McAfee, Inc.

Chosen CAPTCHA Identifier Attack

Client
1 GET /captcha.php + SESSIONID

Server
3

<html> <img (CAPTCHA) + Identifier>

Pick a random 2 CAPTCHA Identifier from finite set of CAPTCHA values

POST /verify.php + SESSIONID + Solution + Identifier 4

5
Use the Identifier to retrieve CAPTCHA solution + Verify solution

www.foundstone.com 2010, McAfee, Inc.

CAPTCHA Fixation Attack

Client
1 GET /captcha.php + SESSIONID

Server

HTTP/1.1 302 Moved Temporarily Location: /get_captcha.php?id=captchaID 3

Pick a random CAPTCHA ID from finite set of CAPTCHA values

GET /get_captcha.php?id=captchaID + SESSIONID 4 CAPTCHA 6

5 Set CAPTCHA ID or solution in HTTP Session

< CAPTCHA Verification >

www.foundstone.com 2010, McAfee, Inc.

CAPTCHA Fixation Attack

Client
1 GET /captcha.php + SESSIONID

Server

HTTP/1.1 302 Moved Temporarily Location: /get_captcha.php?id=captchaID 3

Pick a random CAPTCHA ID from finite set of CAPTCHA values

GET /get_captcha.php?id=evil_ID+ SESSIONID 4 CAPTCHA 6

5 Set CAPTCHA ID and/or solution in HTTP Session

< CAPTCHA Verification >

www.foundstone.com 2010, McAfee, Inc.

Persistent CAPTCHAs

Same CAPTCHA was returned for any number of registration attempts CAPTCHAs can be brute-forced

www.foundstone.com 2010, McAfee, Inc.

CAPTCHA Re-Riding Attack

Client
1 GET /captcha.php + SESSIONID

Server

2 Create a
random CAPTCHA.

CAPTCHA

3
Set CAPTCHA solution in HTTP Session

POST /verify.php + SESSIONID + Solution

Verify the CAPTCHA

Several successful submits with a single solution

8

7 Clear CAPTCHA
state or SESSION

www.foundstone.com 2010, McAfee, Inc.

In Session CAPTCHA Brute-Force

Client
1 GET /captcha.php

Server

2 Create a
random CAPTCHA.

CAPTCHA

3
Set CAPTCHA solution in HTTP Session

POST /verify.php + SESSIONID + Solution

Verify the CAPTCHA

CAPTCHA solution brute-force with large number of requests

8

7 Clear CAPTCHA
state or SESSION

www.foundstone.com 2010, McAfee, Inc.

OCR Assisted CAPTCHA Brute-Force

OCR 1

OCR 2

rGsyg
r[G6]sy[g9]

r6sy9

r6syg
www.foundstone.com 2010, McAfee, Inc.

OCR Assisted CAPTCHA Brute-Force

Solve CAPTCHA with an OCR Bruteforce characters over the sample space Continue. Or better refresh SessionID for a new CAPTCHA!?
www.foundstone.com 2010, McAfee, Inc.

Attacking CAPTCHAs with TesserCap

www.foundstone.com 2010, McAfee, Inc.

The Victims

www.foundstone.com 2010, McAfee, Inc.

The Weapon TesserCap

www.foundstone.com 2010, McAfee, Inc.

TesserCap Introduction

Retrieve CAPTCHA

8 stage Image preprocessing

TesseractOCR Engine Preprocessed CAPTCHA Extracted Text

HMLR

www.foundstone.com 2010, McAfee, Inc.

TesserCap Demonstrations

www.foundstone.com 2010, McAfee, Inc.

Spatial Filters

This Image: Digital Image Processing, Second Edition By Gonzalez and Woods
www.foundstone.com 2010, McAfee, Inc.

Spatial Filters in Action

This Image: Digital Image Processing, Second Edition By Gonzalez and Woods
www.foundstone.com 2010, McAfee, Inc.

TesserCap Results
CAPTCHA Provider
Captchas.net Opencaptcha.com Snaphost.com Captchacreator.com www.phpcaptcha.org webspamprotect.com ReCaptcha

Accuracy
40-50% 20-30% 60+% 10-20% 10-20% 40+% 0%

www.foundstone.com 2010, McAfee, Inc.

TesserCap Results
Website
Wikipedia Ebay Reddit.com CNBC Foodnetwork.com Dailymail.co.uk Megaupload.com Pastebin.com Cavenue.com

Accuracy
20-30% 20-30% 20-30% 50+% 80-90% 30+% 80+% 70-80% 80+%

Quantcast Rank
7 11 68 121 160 245 1000 32,534 149,645

www.foundstone.com 2010, McAfee, Inc.

Lets Play Nice a.k.a. Conclusion

www.foundstone.com 2010, McAfee, Inc.

A Secure CAPTCHA Implementation

Client
1 GET /captcha.php + *SESSIONID

Server

2 Create a new
**SESSIONID

3 Create a new
CAPTCHA with Random Text

4 CAPTCHA + **SESSIONID 6 5 7

Set CAPTCHA solution in HTTP Session Verify the CAPTCHA Clear CAPTCHA state or HTTP SESSION

POST /verify.php + SESSIONID + Solution

8 9

www.foundstone.com 2010, McAfee, Inc.

A Secure CAPTCHA Implementation

No client influence on or knowledge about the CAPTCHA content Random with a large sample space High on complexity to perform image preprocessing, segmentation and classification The client should not have direct access to the CAPTCHA solution No CAPTCHA reuse

www.foundstone.com 2010, McAfee, Inc.

Queries

www.foundstone.com 2010, McAfee, Inc.

Thank You!
Gursev Singh Kalra (@igursev) gursev.kalra@foundstone.com http://gursevkalra.blogspot.com http://blog.opensecurityresearch.com
www.foundstone.com 2010, McAfee, Inc.