Sign in:
Username:
Password:  
»Forgot your password?

Home | Forum | How to Protect Your Web Form | How to Protect Your Email | Sign Up

Insure yourself from spam! The Anti Spam Insurance Company - ProtectWebForm!

Forum - Security issue

PostMessage
mwoods
2008-01-15 05:21:39
Hi, I have successfully added the CAPTCHA to my site (PHP), but during
testing, have noticed what appears to be a security issue.

It appears that using your CAPTCHA, i can keep refreshing the image
easily (a good thing, of course!), but I can then submit any one of
the previous image codes to gain entry. The same goes for incorrect
attempts.

i.e. I can request a CAPTCHA image, that may have the code "123456". I
can then continue guessing this code to my hearts content (regardless
of the fact that I display a new CAPTCHA image after each attempt),
until I guess "123456" correctly. It seems that your verification
server builds a list of acceptable verifications from each request IP,
and only clears this list down upon a successful verification. Should
the list not be cleared down after EVERY verification attempt,
regardless of success or failure?

Kind Regards,

Mark
oleg
2008-01-15 05:36:31
I know there is such a situation.

When I store the requested code I store the remote ip address.
Currently I didn't see attacks of this type, but solution I was
planning was:
to increase image-response time exponentially.
E.g. when you (with custom) ip address query image, the service adds
sleep(exp(2, attempt)) before storing code in the DB.

This will reduce the risk of multiple image queries.

If you think this is critical for your service/site, I can add this
feature in near future.
mwoods
2008-01-15 06:01:39
It is not critical, no, since a reasonable amount of traffic to our
site should resolve the issue in itself (with a successful login
clearing down the image list).

A solution to the problem would be a nice feature, though, to increase
the level of security, and the need for generating longer security
codes.

However, in the proposed solution, I'm assuming that the custom ip
will need to relate to the client on our side, and not our server's
ip? Reason being, that we wouldn't want an attacker compromising our
login screen, simply by making numerous incorrect attempts, and
pushing the exponential image request time up high for everyone using
our site.

Kind Regards,

Mark
oleg
2008-01-15 08:17:34
> client on our side, and not our server's
ip
yes, sure.

And there is also ttl (time to live for the image ) = 30 minutes

so, if you have 6 numbers alphanumeric image this will produce you
approx
40 pov 6 = 4096000000 image variants
this means that an attacker must request the site: 4096000000 / 60 *
30 = 2275555 per second to get an image.
Imagine he creates the 1000 (really high performance server) requests
per second, this is 275 times hi must try this service to guess the
code.

This is 275 hours = approx 10 days.

I could have make a mistake in my calculations, but seems to smth.
like this.

Oleg.
mwoods
2008-01-15 08:32:15
Ah, I didnt realise there was the 30 minute timeout.

Thank you for your quick replies.

Kind Regards,

Mark






Post Reply:

You must be logged in to reply.
Post message
Name: 
Email: 
Url: 




Registered users: 20291

Forms protected: 48458

Further Reading & Anti Spam Resources:

Directory
Search our site for:
 
Web www.protectwebform.com

Get Thunderbird!

    ©Copyright 2006 ProtectWebForm.com. All rights reserved. Read our Privacy Policy

Page copy protected against web site content infringement by Copyscape