Wednesday, March 7, 2012

Attacking CAPTCHAs for Fun and Profit

A “Completely Automated Public Turing test to tell Computers and Humans Apart,” or “CAPTCHA,” is used to prevent automated software from performing actions that degrade the quality of service of a given system. CAPTCHAs aim to ensure that the users of applications are human and ultimately aidin preventing unauthorized access and abuse.To analyze the strength of CAPTCHA implementations on the Internet, research was conducted covering several high traffic websites. During the research CAPTCHA protection on three types of forms were
• Registration pages
• Forgotten password functionality
• User comment fields for blog posts, news articles, and other content
The vulnerabilities identified during the research were classified into three broad categories: breaching client-side trust, manipulating server-side implementation, and attacking the CAPTCHA image. In this paper, we will look at the interesting and the most common vulnerabilities identified during the research.
Download PDF:

No comments: