Verification code bypass (high risk)

Verification code bypass (high risk)

Risk level: High risk
Risk description: The server did not verify the verification code twice, causing the attacker to directly jump to the page for setting a new password by modifying the return value, and then reset the user password;
risk analysis: through modification Return the data package, you can bypass the SMS/email verification code and directly reset the account password;

Risk repair: The server performs a second check on the verification code of the mobile phone/email;

---

---

What is a verification code?

CAPTCHA is the abbreviation of (Automatic Turing Test for Distinguishing Computers and Humans). It is a program algorithm used to distinguish between computers and humans. This program must be able to generate and evaluate tests that humans can easily pass but computers cannot pass. .

Principle of verification code mechanism

The client initiates a request -> the server responds and creates a new SessionID while generating a random verification code, and returns the verification code and SessionID to the client -> the client submits the verification code together with the SessionID to the server -> server verification The code simultaneously destroys the current session and returns the result to the client.

---

---

The importance of verification code: (to prevent authentication-related attacks)

E.g:

Login: Without a verification code, attackers can illegally take over user accounts through brute force cracking.

Registration: The program creates spam accounts in batches.

Avoid spam and DDOS:

The website has the function of submitting forms, and it needs to be approved by the site administrator. A large number of spam forms may be generated, which will affect the access speed of the website, increase the workload of the site administrator, and the requests of some legitimate users may also be denied service.

Email/SMS bombing (high risk)

If there is no effective verification protection, a malicious attacker can use the program to send a large amount of spam to the target. SMS verification function can send any number of verification codes to the bound mobile phone;

This vulnerability can send verification information to the bound mobile phone, and can use a self-written script to traverse the bank card number and send any number of short messages, which affects the user experience and causes excessive consumption of the short message service;

---

---

Verification code security vulnerabilities:

**Verification code bypass:
The two common verification mechanisms areImage verification code and SMS verification code.The verification code is set to preventAutomated attacks, But if it is not designed, it will be useless.

**Picture verification code bypass:
several common scenarios where picture verification codes are bypassed: the picture verification code is entered correctly once and can be reused; the picture verification code front-end verification; the picture verification code can be recognized; the verification code information is returned to the customer End wait.

1. The verification code does not refresh

After the login password is wrong, the value in the session is not updated, and the verification code is not changed. The verification code is not refreshed usually in the following two situations: unconditional not refreshing, conditional not refreshing.

1.1 Do not refresh unconditionally

It means that within a certain period of time, no matter how many login failures, as long as the page is not refreshed, you can use the same verification code to brute force the user account indefinitely.

1.2 Conditionally not refresh

After the login fails, the system will open a new page or pop up a new warning window, prompting the user that the login failed, click OK and return to the login interface and the verification code will refresh. In this case, as long as we don't close the new window or pop-up window, we can use the intruder module of Burpsuite to brute force the cracking.

2. The verification code can be obtained from the front end

The verification code is usually hidden by the developer in the source code of the website or in the requested cookie, but both cases can be easily bypassed.

2.1 The verification code is hidden in the source code

Ctrl+u view the source code, search for the verification code, after a successful match, you can write the tool, extract the verification code in the source code and put it into the message of each request to perform account cracking.

2.2 The verification code is hidden in the Cookie

Submit Login> Capture Packet, and then analyze the Cookie field in the data packet to find a matching verification code, or a verification code after some simple encryption.

3. Verification code null value bypass

Bypassing the verification code with a null value, you can bypass the judgment by directly deleting the verification code parameter or the value in the cookie, and perform brute force cracking.

4. The verification code is easy to identify

In the process of vulnerability mining, if the login verification code is very simple and easy to identify, then we can use automated tools to perform login cracking, such as PKAV's HTTP Fuzzer.
Reference blog: Automation tool
PKAV tool blasting
(but now the verification code mechanism is set to interactive verification code, the success rate of blasting using automated tools will be very small!!!)

---

---

Possible security issues between client and server

Possible security issues on the client

1. The website verification code is generated by local js and only verified by local js. You can disable js locally and delete the verification field with the burpsuit tool.
2. The website outputs the verification code to the client html and sends it to the client Cookie or response headers.
3. The website does not display the verification code by default, but only after a certain number of errors are entered. The developer may write a mark loginErr in the Cookie to record the number of errors, and you can submit repeatedly without updating the loginErr value in the Cookie. , The verification code will not appear.

Possible security issues on the server

1. The verification code does not expire. Failure to destroy the session in time causes the same verification code to be used repeatedly. The attacker can bring a fixed sessionID and a fixed verification code string in the Cookie.

2. The verification code is not judged as non-empty, so the verification code parameter can be deleted directly.

---

---

Verification code bypass vulnerability process and repair suggestions:

The functional process of the programmer designing verification code is generally as follows: first determine whether the user's mobile phone number is the normal length of the mobile phone number, and then determine whether the mobile phone number is mixed with some malicious parameters, and then start to send the verification code after it is correct. Give the phone.
But in such a design process, it will lead to the vulnerability of the verification code bypassing the direct sending;

Suggested solution: We can add filter conditions to judge and verify more. For example, after the mobile phone number is sent, the server will check whether the sender is the same mobile phone number and so on.

---

---

Talk about "Verification Code"

What do we generally use verification codes for?

<1>Login brute force cracking
<2>Prevent malicious registration of machines

1. The authentication process of the verification code The client requests the login page, and the background generates the verification code:
<1>. The background uses an algorithm to generate a picture, and the picture response is sent to the client;
<2>. At the same time, the value generated by the algorithm is globally assigned to SESSION;

2. Verify the verification code:
<1>. The client submits the authentication information and the verification code together
. <2>. The background compares the submitted verification code with the one in SESSION;

3. The client refreshes the page again and generates a new verification code again:
<1>. The verification code algorithm generally contains random functions, so it will change every time you refresh;
<2>. The verification code will expire;

Generating and checking the verification code on the front end is very unreliable in terms of security.

---

---

Design a secure verification code (secure process + complex graphics)

1. When the front-end generates the verification code and the back-end can verify the verification code, it is necessary to limit the validity period and the number of verification codes. We need to design complex graphics;

2. Count and limit the submission of authentication errors, and destroy the verification code after it is used up, which can effectively prevent brute force cracking;

3. Two-factor authentication:
   A token is a set of randomly generated numbers in the back-end code. Every time you log in, a hidden random number will be added to the login account and password for verification, thereby enhancing security. The general approach:Output the token in the form in the form of "type='hidden'"; submit it together when submitting the authentication, and verify it in the background.

---

---

Vulnerability summary:

In the security penetration test of the website, it is more common for the verification code of the website to bypass the vulnerability. Generally, when designing the entire verification code function, programmers do not take into account the malicious parameters that will be constructed and submit directly, leading to the server There is no filtering on the terminal, and the verification process of the verification code is directly bypassed. Generally, the password retrieval function and the user registration function in the website occur. The modification of important information requires verification code verification.

There are many types of verification codes on the website: graphic verification codes, SMS verification codes, and email verification codes.

Graphic verification code: After obtaining the verification code, the historical verification code in the database can still be used normally, which causes the website to bypass the verification code function.

A possible attack hazard is the constant submission of registrations, resulting in an increase in member accounts in the database, a large number of robot registrations, and clogging of the server and database.

Bypassing SMS verification code: Generally, you need to obtain a verification code when you retrieve your password. The SMS verification code is generally a verification code with 3-7 digits. If you blast it with an automated tool, you can quickly guess it.

---

---

---

Verification code replay attack (medium risk)

Vulnerability description: When submitting information, the entered verification code is replayed by capturing the packet, and the verification code is not reset and updated during replay, resulting in repeated information submissions, which may cause replay attacks;

Risk analysis: it may be replayed by malicious attackers such as repeated messages and malicious registration;

Repair plan: use test and time of background verification verification code;

Reference blog:

https://blog.csdn.net/weixin_39190897/article/details/86539542
https://blog.csdn.net/dongfang1924/article/details/101613215
https://jingyan.baidu.com/article/b87fe19e5648575218356890.html