-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Way to break 100% VisualCaptcha via checksum #24
Comments
Wow, this is great! Thanks for the thorough exposition and explanation here (and for doing your research and understanding why certain things happen the way they do).
I'm currently focused on Oikon, and very open to taking in and reviewing PRs for visualCaptcha! Thanks again. |
Hello Bruno, thanks for your feedback and your comment. Yes, I meant "degrade the images". I well understand that the UX is more important for VisualCaptcha than solve this kind of security issue, but there are some solutions to not degrade too much pictures and add some security features, like :
So, how to increase the VisualCaptcha's picture-database without adding thousands images ? Some ideas :
These are just few ideas, but they could improve the solution I think. In any case, if UX is the goal of VisualCaptcha, there will always be an opportunity to "break" this solution relying on security through obscurity. Sincerely, |
I love you've documented these here for others to take ideas from (to improve their own implementations of visualCaptcha). These are all things people can do on their own implementations. Some become to hard to circumvent if we implement a "generic" solution, like the IP one, maybe even the timer one. Different types of colors also start getting in the way of people with color blindness. Increasing the image database is definitely something that could be easily done. The LSB is also an interesting technique. |
@BrunoBernardino You need to change random pixels to mess up basic attackers. It won't prevent sophisticated attacks, but it's a start. Implementing IP-based blocking is a bad idea - two many Wi-Fi networks are plagued by this. |
Hello VisualCaptcha-Team, Is this project still actively maintained? Because right now it's essentially been broken for almost 4 years and there were no updates on this issue. As previously mentioned this software provides basically no additional security against bots or automated scripts. It can be omitted with very little effort. If you don't plan on updating the project anymore you should take it down? Regards, |
Hello VisualCaptcha team,
I have worked with VisualCaptcha solution for several month, on my projects and during security audits.
As penetration tester, I encountered recently an old VisualCaptcha solution (branch 5.x with API endpoints /start and /image) integrated into a CMS. I worked on this to find a way to break it, and it was successfull with this methodology :
After this successfull scenario I tried my script on the latest VisualCaptcha versoin (available on demo.visualcaptcha.com) and it doesn't work...
I dig again to understand "why it doesn't work on the latest version, and what security mecanism was added ?", then I found this issue : #2
Random bytes are added to each PNG (and audio) file delivered to the client's browser. This is the reason why my PNG checksum calculation failed (two same PNG visualy are not the same with checksum comparison).
So I updated my script to convert each PNG downloaded to JPG. These conversion delete all additionnal random data to make a comparable JPG file with the same checksum any time.
Via this mecanism, the final script works on all VisualCaptcha 5.x version, with random bytes added or not and with a 100% success rate (because the captcha solution is based on limited image database).
I encountered several times this kind of captcha (that are really appreciated for equipment like smartphone or tablet), so I decided to create a generic "VisualCaptchaBreaker" script to demonstrate the feasability of breaking this solution.
You can find the full script, default database and sample here:
https://github.com/yanncam/VisualCaptchaBreaker
Demonstration video against the demo.visualcaptcha.net page :
https://www.youtube.com/watch?v=fkfeDQqXNdk
I know that VisualCaptcha has already been broken by the past (describe in issues), but no generic script was created (usable with BurpSuite, proxy, custom configuration, etc.).
And other methods are OCR-based or need image-analysis library (slower). None of them seems to exploit the "simple checksum" method with JPG-conversion.
I think VisualCaptcha can be updated to add more randomization in image/audio to produce different checksum in PNG and after JPG conversion.
It's not a long-term solution, VisualCaptcha will be broken again via OCR or image-analysis method, but it will take more time for a potential attacker.
Plus, what do you think about the idea to add a "timer" (several second) between the "/start" call (captcha initialization) and the form submit with the captcha verification? For a simple "contact form" a user doesn't need to send the form with less than 1sec after it was displayed, so scripting attack against the form (and the captcha) will be slower.
VisualCaptcha is a good and well designed solution, but as all other "limited static-image database captcha solution", it can be broken.
Thanks for your reading and your interest,
Do not hesitate to contact me for more information,
Sincerely,
The text was updated successfully, but these errors were encountered: