Of Stack

Three common vulnerabilities and fixes of captchAs

  • 2020-12-20 03:44:02
  • OfStack

Store the captcha in Cookie

In general, we store the value of the captCha in Session, so that we can know whether the input is correct by comparing the submitted captcha with the captcha in Session. Since Session takes up server resources, I wondered if I could encrypt the value of the captcha and store it in Cookie. But as it turned out, that was wishful thinking.

Assume that the value of the captcha is a, encrypted by sha1 and the resulting value is b = sha1(a), and that b is stored in Cookie. The value of the verification code submitted by the user is c. By judging whether sha1(c) is equal to b, we can know whether the verification code entered is correct. However, Cookie is controlled by the client. If the user sees that the captCHA value is a and learns from Cookie that the encrypted value is b, he can always pass the verification by changing the value of Cookie to b and submitting the captcha value to a before committing.

No non-null judgment is made

This situation can be explained directly in the code: 



if (Request["captcha"] == Session["captcha"] as string)

{

    //  Verify pass, proceed 

}

Assuming that the user bypasses the system-provided form and submits the data directly, the captcha has not yet been generated and Session["captcha"] is empty. Request["captcha"] is also empty when the user does not submit a captcha. So, the verification passed.

To solve this problem, you can simply add a non-null judgment: 



if (!String.IsNullOrEmpty(Request["captcha"]) &&

    Request["captcha"] == Session["captcha"] as string)

{

    //  Verify pass, proceed 

}

Verification code was not destroyed in time

The use of captchas should follow one principle. After one comparison, the captchas should be destroyed immediately, no matter whether the user inputs correctly or not.

If you don't, the following can happen:

Assuming the user has typed it wrong and the captcha has not been regenerated, he can try it until it is correct. Although the machine has a low first order recognition rate, it can still recognize the same image if you give it an infinite number of chances.
Assuming the user successfully entered the code and that the captCHA was not destroyed, he can use the captcha directly to pass the verification before Session expires.

Related articles: