MoBiC-21: AIP CAPTCHA bypass
22:41 21.11.2007Next participant of the project is AIP captcha. It is Auto-Input Protection (AIP) for ASP.NET. This captcha plugin is using at some amount of sites and all of them are in risk with this insecure captcha.
This captcha plugin is vulnerable for Advanced MustLive CAPTCHA bypass method. In current example plugin is using at contact me page. This Insufficient Anti-automation hole I found 30.10.2007.
In Advanced MustLive CAPTCHA bypass method you need to use the same ctl00$Main$aip$input value for every post. And because sites with AIP are using ASP.NET, you need also to bypass (bult-in) CSRF protection also. For this you can use the same __VIEWSTATE and __EVENTVALIDATION values.
Insufficient Anti-automation:
This exploit for educational purposes only.
You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.
I found this hole at adamcooper.com which is using AIP captcha.
Insufficient Anti-automation:
adamcooper.com CAPTCHA bypass.html
Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.
Moral: never make such unreliable captchas.
Середа, 01:28 12.12.2007
I certainly appreciate that you brought this to my attention. It will be fixed in the next release.
However, the “Moral” that you stated isn’t being fair to AIP. “Unreliable” would indicate that it isn’t working to protect web sites - its purpose. Although there is certainly a potential risk that AIP could be bypassed, in my experience using AIP this has _never_ happened to me and you are the first to report it. Hopefully, I’ll be able to fix this bug before AIP actually does become “unreliable”
Thanks,
- Dave
Четвер, 05:35 13.12.2007
I’ve posted info about my solution for AIP 2.0.0 in my blog:
http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx
Hopefully you’ll find time to reevaluate AIP again and let me know if it passes all of your tests the second time around
Четвер, 18:50 03.04.2008
I’ve recently deployed AIP 2.0, which fixes the vulnerability that you mentioned.
Thanks again for reporting it.
Четвер, 21:16 03.04.2008
Dave
You are welcome.
It’s good that you fixed this hole (in new version of AIP). If I’ll find time I’ll look at it .