Friday, October 23, 2015

ASPNet_Captcha (Mathematical) can be cracked !!!!!!!

ASPNet_Captcha (Mathematical) is been used as security measure to stop unwanted traffic like automated scripts, bots and etc... Even in my company , we were instructed to use this by the management. I think the reason behind it is, it is more user friendly :) than Google reCaptcha or MSCaptcha.  

So when I started using it I felt something wrong. Guess what , the randomizer is very poor and can be cracked.  Below is a sample image of the mentioned ASPNET_Captcha 




Explanation : 


Normally these kind of mathematical captchas should have a strong randomizer (an engine or a method which creates highly volatile outputs). But in this case it is not. 

So I wrote a brute force to simulate the ASPNet_Captcha. Guess what it was easy and the program cracked the captcha in less than 5 seconds. You can get the sample code from GitHub. 

Click here to download the sample code

Once you are done with the captcha you have to do a post to the target site to penetrate. This is a considerable security threat and needs to be eliminated.  

So as per my experience, the best captcha controls right now are :


I have used both of them and both are working 100% well and secured. Why I'm saying that , I have used MSCaptcha in an online application and pushed the application through some tough penetration tests and non of them could break it. 

hope this article helps you. 
Happy Coding. :)  



No comments:

Post a Comment