Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have a web application I am doing a security assessment on and it uses captcha

ID: 661278 • Letter: I

Question

I have a web application I am doing a security assessment on and it uses captcha for both the login and for certain operations inside the app. The interesting thing is that this particular app displays the text of the captcha right under it (users complained, so...), so it would be feasible to rig something up to read the captcha text and use that, enabling the scan to be automated. Can anyone point to a resource that would help me script this? I use IBM appscan and Burp Suite.

Without that text, though, I'm limited to hand testing. Would it be fair to say that these captcha makes the app immediately more secure because it is resistant to automated scans?

Explanation / Answer

In your question, you mention that the app displays the text of the captcha right under it. If you mean that the correct answer to the captcha challenge is displayed to the user as text in addition to its display in an image, then it should be a simple matter to script an automated scan. Your script would be able to complete the login process by reading the text of the captcha answer from the web page, and then providing that answer in the proper field.

I haven't used the tools you're using, so I'm not familiar with scripting capabilities that they might provide. But in Python, you could use urllib to implement this capability. In Perl, you could use LWP.

In my opinion, using a captcha can reduce some risks in a web application, especially risks related to a new-user enrollment process being abused by automated (non-human) clients. It could help as a part of a login form for existing users, but to a lesser extent. A well designed login form should protect itself from brute force login attempts, even wihthout a captcha (for instance, by limiting the number of failed login attempts possible in a given time period for the same user account or client IP address).

And of course, displaying the answer to a captcha challenge in text pretty much removes the usefulness of having a captcha to begin with. At that point, the implementation is inconveniencing the user while providing no security benefit.

Related Questions

I have a system which needs to do cross-origin requests and having trouble under
Question #647195
I have a system. You can assume it is just a 1\" diameter steel pneumatic cylind
Question #1379595
I have a table named CUSTOMER and it has columns FirstName, LastName, Phone, and
Question #669045
I have a table named SUPPLIER that is set up like this SUPPLIER(SupplierName(PK)
Question #3767839
I have a table named classes with a field named available_seats set to 10 (the m
Question #3823296
I have a table of user relationship which stores who follows whom, the table str
Question #651510
I have a take home quiz for the last quiz of the year in my chemistry class. I r
Question #522730
I have a task of comparing two organisation charts. These chart objects are desc
Question #646141
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I have a web app thats been in active development for about 8 months now and its
Next
I have a web application in which i need to show a big number of data or records

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.