« Уразливість в ExpressionEngine
Місяць багів в Капчах: день двадцять перший »

MoBiC-21: AIP CAPTCHA bypass

22:41 21.11.2007

Next participant of the project is AIP captcha. It is Auto-Input Protection (AIP) for ASP.NET. This captcha plugin is using at some amount of sites and all of them are in risk with this insecure captcha.

This captcha plugin is vulnerable for Advanced MustLive CAPTCHA bypass method. In current example plugin is using at contact me page. This Insufficient Anti-automation hole I found 30.10.2007.

In Advanced MustLive CAPTCHA bypass method you need to use the same ctl00$Main$aip$input value for every post. And because sites with AIP are using ASP.NET, you need also to bypass (bult-in) CSRF protection also. For this you can use the same __VIEWSTATE and __EVENTVALIDATION values.

Insufficient Anti-automation:

AIP CAPTCHA bypass.html

This exploit for educational purposes only.

You need to setup exploit to test it (set site’s URL and others data). If you want to test it immediately, here is online example.

I found this hole at adamcooper.com which is using AIP captcha.

Insufficient Anti-automation:

adamcooper.com CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.

Moral: never make such unreliable captchas.


This entry was posted on 22:41 21.11.2007 and is filed under MoBiC. You can follow any responses to this entry through the RSS 2.0 feed.

4 відповідей на “MoBiC-21: AIP CAPTCHA bypass”

  1. Dave каже:
    Середа, 01:28 12.12.2007

    I certainly appreciate that you brought this to my attention. It will be fixed in the next release.

    However, the “Moral” that you stated isn’t being fair to AIP. “Unreliable” would indicate that it isn’t working to protect web sites - its purpose. Although there is certainly a potential risk that AIP could be bypassed, in my experience using AIP this has _never_ happened to me and you are the first to report it. Hopefully, I’ll be able to fix this bug before AIP actually does become “unreliable” :)

    Thanks,
    - Dave

  2. Dave каже:
    Четвер, 05:35 13.12.2007

    I’ve posted info about my solution for AIP 2.0.0 in my blog:

    http://davesexton.com/blog/blogs/blog/archive/2007/12/12/aip-1-0-0-bypassed.aspx

    Hopefully you’ll find time to reevaluate AIP again and let me know if it passes all of your tests the second time around :)

  3. Dave каже:
    Четвер, 18:50 03.04.2008

    I’ve recently deployed AIP 2.0, which fixes the vulnerability that you mentioned.

    Thanks again for reporting it.

  4. MustLive каже:
    Четвер, 21:16 03.04.2008

    Dave

    You are welcome.

    I’ve recently deployed AIP 2.0, which fixes the vulnerability that you mentioned.

    It’s good that you fixed this hole (in new version of AIP). If I’ll find time I’ll look at it ;-) .

Leave a Reply

You must be logged in to post a comment.