Brute force and verification code security-verification code security

Verification code security

Introduction

The verification code (CAPTCHA) is
an abbreviation of "Completely Automated Public Turing test to tell Computers and Humans Apart", which is a
public fully automatic program that distinguishes whether a user is a computer or a human.

It can be prevented: maliciously cracking passwords, brushing tickets, and flooding forums, effectively preventing a
hacker from making continuous login attempts to a specific registered user with a specific program brute force cracking method. In fact, using verification
codes is a popular way for many websites now. A relatively simple way to achieve this function. This question can be
generated and judged by a computer, but only humans can answer it. Since the computer cannot answer the CAPTCHA question,
the user who answers the question can be considered a human.

classification

Gif animation verification code

Mainstream verification codes are easier to be recognized by ocr software by providing static pictures. Some websites provide GIF dynamic
verification code pictures, which makes it difficult for the recognizer to recognize which layer is the real verification code picture, and can provide clear pictures. At the same time, it can more effectively prevent the recognition of the recognizer

Mobile phone SMS verification code

Some verification code access providers provide mobile phone SMS verification code services. Each website sends a request to the access provider
's server through the interface . The server sends random numbers or letters to the mobile phone. The access provider's server will do the verification code verification.

Phone voice verification code

Video verification code

The video verification code is a rookie in the verification code. The verification code composed of random numbers, letters and Chinese in the video verification code is dynamically embedded in the MP4, flv and other format videos, which increases the difficulty of cracking. Captcha video dynamic transformation and random response can effectively prevent dictionary attacks, exhaustive attacks and other attack behaviors. The combination of letters and numbers of the verification code in the video, the shape and size of the font, the speed of the speed, the dynamic change of the display effect and the trajectory, increase the difficulty of malicious screen capture cracking
Technical support is not disclosed

Principle introduction

	1.客户端发起一个请求
	2.服务端响应并创建一个新的 SessionID 同时生成一个随机验证码。
	3.服务端将验证码和 SessionID 一并返回给客户端
	4.客户端提交验证码连同 SessionID 给服务端
	5.服务端验证验证码同时销毁当前会话（如果不进行设置，PHP默认过23分钟才会销毁，这是不安全的），返回给客户端结果

Client authentication bypass

The client generates a verification code

The verification code is generated by the client js and is only verified by the client js.
Nankai University case
js This is a front-end verification method, but this verification is invalid during the midway transmission process, so you can choose the attack method in burp to clear the variable addition Variables can be blasted, or close the page js function can also

supplement

Right-click the source code during the test to see whether it is js verification, not just verification code, many filtering special symbols, js detection to detect password length can basically be bypassed

Verification code output client

The output is in html. Regardless of consideration, the content of the verification code should not be sent to the client cookie or output to other fields of the response headers. For example, the MD5 value written in the verification code, Base64 transcoding, etc., are too easy to be reversely cracked by an attacker to obtain the original value. Even after adding a fixed salt, the output is very bad.
For example:
Sony verification code implementation defects

Problem with verification code in cookie

Some systems do not display the verification code by default, but appear after a certain number of user verification errors. How to judge how many
times the user has made mistakes?
Inexperienced developers may do this: 1. Write a tag in the cookie, such as loginErr = 1, and subsequent error accumulation
2. Write a tag in the session, such as loginErr = 1, the
problem of subsequent error accumulation is that if the attacker Submit an HTTP request without a cookie? Or is it that the attacker does not update
the value of loginErr in the cookie and submits repeatedly? In this way, the program will think that the attacker is
visiting for the first time because it has no way to obtain the Cookie / sessionID . At any time, the verification code will not appear!
Juneyao Airlines
5173 verification code can be bypassed

More likely to write the verification code directly into the cookie

Server-side verification bypass

The verification code does not expire, and failure to destroy the session in a timely manner leads to reuse of the verification code (this is the most common, PHP defaults to 23 minutes to automatically destroy the verification code) Suning.com case
Most of the time, the verification code corresponds to a session value on the web server. If a verification is completed without marking
the session as invalid, it will cause the same verification code to be used repeatedly.
At this time, the verification code will no longer be useful.
An attacker with a fixed sessionID and a fixed verification code string in the cookie can easily burst.

The operation is as follows

The server verification must first enter a correct verification code.
No non-empty judgment is
left. The case where the verification code is empty during the verification process is left behind, such as removing some values ​​in the cookie or the verification code parameter in the request.
The answers in the generated verification code question set are very limited

There are three ways to write about the destruction of PHP session:

<?php
/* session的销毁 */
@header('content-type:text/html;charset=utf-8');
session_start();
 
 
$_SESSION['username']='test1';
echo 'session没销毁时：'.$_SESSION['username'];
echo "<br>";
//方法一
// $_SESSION['username']=null;
//方法二
//session_unset();
//session_destroy();
//方法三
$_SESSION=array();
echo 'session销毁后：'.$_SESSION['username'];

Original link: https://blog.csdn.net/u014796999/article/details/51872515

Token anti-riot bypass

Because the token value is output in the front-end source code, it is easy to obtain, so it loses the meaning of preventing brute force cracking. Generally, the Token will have a better effect in preventing CSRF.

The operation is as follows

After capturing the packet, set the password and token to variable values, the attack mode tuning fork mode Pitchfork
thread number is set to 1;
Grep-Extract is set to start the token "value =" end is "/>;
the suburban load is set to recursive search

Verification code brute force recognition (using PKav HTTP Fuzzer combined with burp)

Find a website management portal with a verification code, open the background of the website, enter the user name, password, verification code, click login, use burp to capture
the packet, copy the data packet captured by burp to the verification code recognition tool, and set the verification code identification tool inside adding tags and tag codes added external dictionary
right cAPTCHA image replication site address, copying the tool to the inside of the inside address codes, the identification pattern identifying the range of adjustment is defined according to the situation, click recognition test
setting tool reproduction mode for multi-threaded mode, retry the check retry rule to match the data returned by the following expression, the error code prompt string string matching login to write on the website
set up for the contract is to attack the target host address Website address, click start, and brute force crack the password with verification code

Verification code defense recommendations

1. It is mandatory to enter a verification code, otherwise, an IP policy must be implemented. Be careful not to be bypassed by X-Forwaded-For (used in burp, plus allowed IP)! (For example, Cisco and tomcat do not have verification codes in many backgrounds)

2. The verification code can only be used once, and expires immediately after use! Cannot be used again

3. The verification code should not be too weak. Distort, deform, disturb lines, disturb background colors, change fonts, etc.

4. It is best for large websites to unify the security verification code, and use the same verification code interface everywhere.

Related reference

	https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-008)
	http://www.mcafee.com/uk/resources/white-papers/foundstone/wp-attacking-captchas-for-fun-profit.pdf 
	http://drops.wooyun.org/tips/141

Today's summary:

Today, the brute force disassembly and verification code are safe. It is basically the use of some tools and the use of the brute force disassembly function on the burp that I learned before. Today, there is still a problem. One is facing multiple wrong IP Is there any way to block us?
The second one is about random thinking, that is to say, a lot of randomness is now "pseudorandom". Is there any simple pseudorandom that can be used to penetrate?

The supplemental update
asked the teacher. In the face of multiple incorrect IP blockades, we can use X_FORWARD_for in the request header to forge our own IP, add the IP as a variable, or change it to 192.168.0.1 to disguise the cost and try it out. This The function will also be used around WARF later, or use a crawler proxy (this is not very understandable, learn it when learning crawlers).