Let us try a brute force attack.
1) Open gmail. http://www.gmail.com/
2)You have to have a gmail account to appreciate what I am trying to say.
3)Login with a set of standard brute force attack credentials
Login id: a
password:abcdefgh
4)Page posts back and u happen to see a new page with a "captcha" shown.
5)Now try again with another such set of credentials:
Login id:aa
password:abcdefghi
6) Don't enter the captcha.
7) Click on enter , you will find that the page posts back and a new set of captcha is now shown on the screen
8)Last step: Now enter your valid credentials
Valid username,password combination.
9)Don't enter the captcha and you will find that you are able to login and see your inbox.
HUUUUUUUUUUUUUUUUUUUUHHHHH !!!!!!
What was the purpose with which captcha was designed.
Simple ,so that there are no more brute attacks on any online portal.
The vector shown can only be analysed only by a human or human interface.
So if a person doesn't enter the captcha, the page shouldn't post back and server requests shouldn't be validated.
But there i was,
1) I was able to get the page to post back without entering the captcha
2) I was able to login without typing the captcha.
Gmail still rocks though !!!
Subscribe to:
Post Comments (Atom)
5 comments:
hey! u shud have sent the link of ur blog along with ur SOP...all their doubts on ur interest in cryptography and the not-so cryptic headlines of our news channels wud hav been cleared beyond any doubt!!..btw there is a captcha to post a comment on ur blog as well ..this does work ;)
hehe, that sure does work.
sala microsoft.
plz write on "Windows doesn't work on PC!!"
mera phone kaam nahin kar raha hai, will u repair it.
Kar de darling, den i'll write about "windows doesn't work on PC"
laag raha hai u r working for google not for microsft. Or Microsoft is paying u money for finding bug in google...
Post a Comment