ASPNet_Captcha (Mathematical) is been used as security measure to stop unwanted traffic like automated scripts, bots and etc... Even in my company , we were instructed to use this by the management. I think the reason behind it is, it is more user friendly :) than Google reCaptcha or MSCaptcha.
So when I started using it I felt something wrong. Guess what , the randomizer is very poor and can be cracked. Below is a sample image of the mentioned ASPNET_Captcha
Explanation :
I have used both of them and both are working 100% well and secured. Why I'm saying that , I have used MSCaptcha in an online application and pushed the application through some tough penetration tests and non of them could break it.
hope this article helps you.
Happy Coding. :)
So when I started using it I felt something wrong. Guess what , the randomizer is very poor and can be cracked. Below is a sample image of the mentioned ASPNET_Captcha
Explanation :
Normally these kind of mathematical captchas should have a strong randomizer (an engine or a method which creates highly volatile outputs). But in this case it is not.
So I wrote a brute force to simulate the ASPNet_Captcha. Guess what it was easy and the program cracked the captcha in less than 5 seconds. You can get the sample code from GitHub.
Click here to download the sample code
Once you are done with the captcha you have to do a post to the target site to penetrate. This is a considerable security threat and needs to be eliminated.
So as per my experience, the best captcha controls right now are :
Click here to download the sample code
Once you are done with the captcha you have to do a post to the target site to penetrate. This is a considerable security threat and needs to be eliminated.
So as per my experience, the best captcha controls right now are :
- Google reCaptcha V2- https://www.google.com/recaptcha/intro/index.html
- MSCaptcha- http://kirsanov.net/page/ASPNET-CAPTCHA.aspx
I have used both of them and both are working 100% well and secured. Why I'm saying that , I have used MSCaptcha in an online application and pushed the application through some tough penetration tests and non of them could break it.
hope this article helps you.
Happy Coding. :)
No comments:
Post a Comment