原文:
——————————————我是分割线——————————————
Many websites utilize a challenge-response mechanism know as CAPTCHA (Completely
Automated Public Turing test to tell Computers and Humans Apart) to protect
against automating the creation of user accounts, content, or otherwise abusing
services they provide.
Most common CAPTCHA systems work by generating
distorted characters, text, or pictures that can be easily recognized by the
human brain but present significant difficulty for computer OCR (optical
character recognition) or other image recognition systems.
Enter Social
Engineering. Although CAPTCHA may be fairly effective at verifying a reply is
from a human and not a computer they do not guarantee that it is from the human for which the challenge is intended.
Example…
- Website
A hosts a service protected by CAPTCHA verification.
- Website B is
set up by a party desiring to automate usage of the services of Website A.
- Website B offers users free access to content, but requires they
defeat a CAPTCHA challenge.
- Website B copies a CAPTCHA image
from Website A that it needs defeated and presents it to a user visiting
Website B.
- The user provides the CAPTCHA response.
6.
Website B provides the offered content to the user, and then uses their
response to defeat the CAPTCHA test on Website A.
In this way automation
residing on Website B can distribute the work of defeating CAPTCHA challenges to
many people that are unknowingly providing responses to challenges from
Website A. In some ways it is similar to a distributed computing model. Instead
of distributing tasks out to computers however, the idea here is to
distribute the CAPTCHA tasks out to humans.
This method was used by spammers 1994 to defeat a turing text-based spam
protection mechanism in Microsoft’s Hotmail service. The spammers promoted a
Web site containing pornography and required visitors to enter a CAPTCHA before
they are were granted access. The CAPTCHA that were used to access the porn
site were originally generated by the Hotmail service. The CAPTCHA solutions
entered by the visitors to the porn site were then used by the spammers to
solve the CAPTCHA challenges in Hotmail, allowing them to automate the creation
of new accounts for sending spam.
More recently, trojans such as Captchar
«a rel=”nofollow” href=”http://vil.nai.com/vil/content/v_143504.htm”>http://vil.nai.com/vil/content/v_143504.htm</a>>
have been utilizing this method as well.
Although it is possible to
identify the difference between a computer and a human there may yet be a
challenge in verifying that a given human response is from the intended
human.
——————————————我是分割线——————————————
CAPTCHA+XSS+SQLInj = ?
自从有了验证码技术之后,传统的暴力破解和字典
式遍历枚举技术受到了很大的打击。但上面的这篇文章给了我们很大的启示,假如我们能够将待破解站点的认证码,通过XSS的方式,把验证码分布到互联网上的
大量站点中。利用真正的“人眼”去识别这些验证码,然后直接使用“聪明的victim”提交的验证码答案去安全“通过”待破解站点的“防自动提交”机
制!!
可以想像,很快,一个完全分布式的、智能的新暴力破解工具就会被广大的hackers所开发出来!!
Let’s say goodbye to CAPTCHA!!!
