Vulnerability about captCha and Mitigation

 vulnerability :


- The content of the graphic captcha can be recognized by OCR


- In a multi-stage process, the verification code is verified first. After success, the next step does not need the verification, so the package can be captured directly and the verification of the first step can be skipped


- The captCHA does not expire immediately after verification in the service segment. It will not be updated until the client requests again. As long as the client no longer requests the captcha, the original captcha can be used


- Whether the module generating captcha generates captcha according to the parameters provided. If so, it indicates that there is a vulnerability


- Some captchas are bound to a parameter in a packet, such as an attribute in a cookie, and are considered valid as long as they match. There are holes in this mechanism.


- In some cases, captchas are hidden in HTML source code or otherwise obtained in "clear text"


- On the server side, should the user name and password be verified only after the verification code is passed, if not, it indicates that there is a vulnerability?



- 图形验证码的内容可OCR识别

- 多阶段的过程,先校验验证码,成功之后的下一步不需要验证码,可以直接抓包,跳过第一步的验证

- 验证码在服务段校验后,没有立即失效,需要客户端再次请求才会更新,只要客户端不再请求验证码即可使用原来的验证码

- 生成验证码的模块是否根据提供的参数生成验证码,如果是说明存在漏洞

- 有些验证码与数据包中的某个参数绑定,比如cookie中的某个属性,只要它们相匹配,验证码就认为是有效的。这种机制存在漏洞。

- 在某些情况下,验证码隐藏在HTML源码或通过其他方式获得“明文”

- 在服务器端,是否只有在验证码检验通过后才进行用户名和密码的检验,如果不是说明存在漏洞。



Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more