Help - Insecure CAPTCHA

About

A is a program that can tell whether its user is a human or a computer. You've probably seen them - colourful images with distorted text at the bottom of Web registration forms. CAPTCHAs are used by many websites to prevent abuse from "bots", or automated programs usually written to generate spam. No computer program can read distorted text as well as humans can, so bots cannot navigate sites protected by CAPTCHAs.

CAPTCHAs are often used to protect sensitive functionality from automated bots. Such functionality typically includes user registration and changes, password changes, and posting content. In this example, the CAPTCHA is guarding the change password functionality for the user account. This provides limited protection from CSRF attacks as well as automated bot guessing.




Objective

Your aim, change the current user's password in a automated manner because of the poor CAPTCHA system.




Low Level

The issue with this CAPTCHA is that it is easily bypassed. The developer has made the assumption that all users will progress through screen 1, complete the CAPTCHA, and then move on to the next screen where the password is actually updated. By submitting the new password directly to the change page, the user may bypass the CAPTCHA system.

The parameters required to complete this challenge in low security would be similar to the following:

Spoiler: ?step=2&password_new=password&password_conf=password&Change=Change.

Medium Level

The developer has attempted to place state around the session and keep track of whether the user successfully completed the CAPTCHA prior to submitting data. Because the state variable (Spoiler: passed_captcha) is on the client side, it can also be manipulated by the attacker like so:

Spoiler: ?step=2&password_new=password&password_conf=password&passed_captcha=true&Change=Change.

High Level

There has been development code left in, which was never removed in production. It is possible to mimic the development values, to allow invalid values in be placed into the CAPTCHA field.

You will need to spoof your user-agent (Spoiler: reCAPTCHA) as well as use the CAPTCHA value of (Spoiler: hidd3n_valu3) to skip the check.


Impossible Level

In the impossible level, the developer has removed all avenues of attack. The process has been simplified so that data and CAPTCHA verification occurs in one single step. Alternatively, the developer could have moved the state variable server side (from the medium level), so the user cannot alter it.


Reference: