2
Vote

Need to destroy the CAPTCHA after login

description

If you used firefox browser with (Live HTTP headers) plug-in used to repeat requests with the following procedure:

1- Login with valid captcha , then logoff
2- Back to live http header tool, pick up the request , then try to reply it

it will login successfully again with first old resolved captcha , you are vulnerable

Most CAPTCHAs don’t destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page. Certain CAPTCHA implementations accumulate CAPTCHA solutions or identifiers in their HTTP session. That is, for each request for a new CAPTCHA, the previous value is retained and a new CAPTCHA solution or identifier is also added to the HTTP session. An attacker can exploit this scenario by manually solving one CAPTCHA for an HTTP session and then reusing that solution or identifier and the SESSIONID value to make a large number of successful submissions

Solution: Destroy the session when the first correct captcha entered

Any suggestion ?

comments