Web Application Security Forum - Robots/Spiders/CAPTCHAs, oh my

lssbot (no replies)

infinity — Fri, 30 Mar 2012 10:31:30 -0500

Here is another bad bot for the blocking list, seen today:

User-Agent: lssbot
IP: 68.68.3.114
rDNS: 68-68-3-114.applecreek.pathcom.com
robots.txt: no

Recursively scraped the entire website, including SVG ressources and some honeypot pages with autogenerated rubbish.

Purpose: unknown.

Dealing with SEO/URL Rewrites (2 replies)

ethicalhack3r — Thu, 30 Jun 2011 12:00:54 -0500

Hi,

I've been thinking about how spiders work in the context of black box web application scanners.

On a very basic level all the spider does is regex for href attributes which are part of the same domain, enqueues them, visits them and so on and so forth.

There becomes a point when there must be a cut off point, and you simply can't follow every href forever. This is partly achieved by setting link depth, keeping a memory of the depth of the links checked and go no further than the cut off point. This helps set a certain limit, but with link depth alone, a spider can still take a hell of a long time to complete.

What if the following scenario happens:

http://www.example.com/date.php?day=1&month=1&year=2011
http://www.example.com/date.php?day=2&month=1&year=2011
http://www.example.com/date.php?day=3&month=1&year=2011
http://www.example.com/date.php?day=4&month=1&year=2011
...

Our link depth would be rendered useless and we would be potentially stuck in an infinite loop as the day/month/year values continue increasing until PHP hits some type of limit.

To resolve the above problem we simply only visit a certain path/page x amount of times. If we have seen the date.php page more than 20 times, move on, don't visit it again. That solves that problem.

Now. This is where my my question lies.

We have some Search Engine Optamisation at play with url rewriting.

So, if we take the above example url, we have:

http://www.example.com/date.php?day=1&month=1&year=2011 => http://www.example.com/1_1_2011.html
http://www.example.com/date.php?day=2&month=1&year=2011 => http://www.example.com/2_1_2011.html
http://www.example.com/date.php?day=3&month=1&year=2011 => http://www.example.com/3_1_2011.html
http://www.example.com/date.php?day=4&month=1&year=2011 => http://www.example.com/4_1_2011.html
...

Now, again our spider will get stuck in an infinite loop.

The one solution I have thought of is the following but not sure if it will work or if there are better ways of doing it.

We strip all non html tags from the html response body, create a hash and then use the hash to compare all future pages against, if we see the hash more than x times, move on, don't visit again.

Is this how web spiders overcome the above problem? Are there other solutions?

Thank you,
Ryan

PHPCaptcha / SecurImage (2 replies)

doodlefish — Sun, 19 Jun 2011 09:50:01 -0500

A nice bypass for PHPCaptcha and Securimage was posted to full disclosure a few hrs ago.

http://seclists.org/fulldisclosure/2011/May/417

Proof of concept code can be downloaded from

http://www.senseofsecurity.com.au/advisories/SOS-11-007.zip

reCAPTCHA has been broken! (1 reply)

Skuld — Wed, 04 Aug 2010 14:06:25 -0500

Apparently the audio captcha from reCAPTCHA doesn't actually validate anything, it only looks for a certain number of words. Just click on the audio captcha option and type in ten random words to pass the captcha. Seems like a hell of a bug to me, hope it's fixed soon.

Scanning CAPTCHA Enabled Sites (1 reply)

spivey — Mon, 31 Aug 2009 17:39:51 -0500

Was wondering if anyone had any advice on the best way to attempt to scan sites that have CAPTCHA enabled. In this case, its a little bit interesting in that the site that we're scanning basically consists of one URL that submits registration information off to another site and that site returns a confirmation. This one page is CAPTCHA enabled and there's no way of getting around that. We're scanning with WebInspect and, while they have a recommended method of running 'interactive scans' by recording a web form, it simply prompts us over and over for the CAPTHA code in order to run through its sleuth of checks.

Is there another tool or recommended testing method to effectively scan a site like this? Thanks.

Worm code (22 replies)

SpoofGhost — Thu, 12 Nov 2009 08:50:28 -0600

Hi there, its been a while since i've posted something here.

i already appoligize for my bad engish ;p

but as i'm continueing one of my projects i'm asking for some info and help.
i'm curently working on a worm for a very big community site. not to harm but to learn. anyway i manged to find 2 bugs 1 was rather useless and the second one is
use full but quite hard to exploit tho i manged to exploit it anyway ;p.

the problem with that bug is that it exisit on a cashed site i believe! anyway every 4 ~ 10 min i have to send out a request with the payload this is becouse some how the site is lost afther that period of time.

Anyway i made some fancy php script wich does that for me with Curl and cronjobs
also i had to update the link every time i did got a new link from the request
i already knew that it isn't very handy couse if it spreads exponentionaly eventually it will crash the script due to over load. so i tought out someting else. the site is some what stupid as they you can send an email to yourself if you lost your password to recover it so i'm aiming on that weakness in there site.
its easy to change the mail with the xss bug.

the only thing that i now have to do is automaticly login to a email account like hotmail or gmail with curl orso. i already manged to login to gmail but i couln't read out emails that is the problem so does anyone has some code or some explanation or anyting else wich can help me further on reading out the emails from gmail or hotmail or so ever.

anyway if this project is done i will show you my code. its quite alot and i'm sure it can be improved alot as well. but this is actually my first attempt on a
"bot alike code" with php/javascript and xss holes.

I might going to try to create a multiple site xss worm wich will search for weaknesses in other site. i was thinking on using xssed's xss database to search for common bugs in site's to spread it self among other site's as well tho it might be tricky to create such a self coding worm. but this way you could create a worm wich would track down a certain user and gathering info about him.

anyway this sounds very intresting to me becouse i don't think it has done befor and if u ask me the potential for such an attack is there. as there are already xss scanners etc wich can be implemented into a worm to track down new hole's to spread its self to.

yours spoof-ghost.

Lots of vists from Wheaton, IL - Network Location: pppox pool se12.emhril 121307 0145 (1 reply)

jkashu — Fri, 22 May 2009 18:19:09 -0500

This network location: pppox pool se12.emhril 121307 0145 gave my website between 500 and 1500 on each of the days May 10, 11, and 20. Each visit lasted less than a second.

For perspective, my sites gets about 100 unique visitors a day.

Nothing suspicious has been seen except this information from Google analytics.

Any thoughts? Is this a spider of some sort??

Thanks! By the way, my site is a free site that members can signup and get stock market news, etc.

4chan beats reCaptcha by attacking the process (3 replies)

wireghoul — Wed, 10 Jun 2009 19:45:56 -0500

http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/

CAPTCHA verification/security code solver extension (2 replies)

csharpp — Tue, 07 Apr 2009 14:50:35 -0500

Have you seen the NoCaptcha browser extension? It solves CAPTCHAs automatically. http://www.nocaptcha.com
What do you think?

window based puzzeles as CAPTCHA? (no replies)

backbone — Wed, 01 Apr 2009 11:09:28 -0500

lately while browsing chrome experiments I found out the image/video puzzle experiment... besides the fact that the pieces of the puzzle are in different browser windows, the fact that videos are used also, it would be a perfect candidate for CAPTCHA...

3D Captcha's (3 replies)

Spyware — Fri, 03 Apr 2009 01:45:25 -0500

Just saw this on Slashdot. See it in action here.

Don't really like this one; seems like it's very easy to break at first sight.

What do you guys think?

decode base64 (3 replies)

chunk — Sat, 07 Mar 2009 11:53:19 -0600

how to decode base64 password pls?

Sliceya CAPTCHA (7 replies)

Gareth Heyes — Thu, 05 Mar 2009 15:14:39 -0600

Yep me again. I don't give up this CAPTCHA stuff. Here is another attempt:-

http://www.thespanner.co.uk/2009/01/15/sliceya-captcha/

Any comments or suggestions appreciated thanks

captcha (1 reply)

royfdvorak23 — Mon, 22 Sep 2008 08:12:29 -0500

I am a captcha newbie so I do not how sophisticated my idea for a captcha would be.

Using PHP:
Define a seed string of upper and lower case letters, plus numbers.
Generate a random string of 512 or 1024 or whatever length long.
Divide the length of the generated string by the number of characters in the captcha string - call this number 'Nindex'
Generate a random number between 0 and Nindex.
Use this new random number as an index into the random string.
From that index, pick out the number of characters required for the catcha string.
Now display these characters vertically for the form user to re-enter.

How easily could you experts break this captcha ?

Regards

PHP LD CAPTCHA (9 replies)

peeyushgulati — Wed, 08 Oct 2008 09:31:42 -0500

I need help in Breaking CAPTCHA.
I need to Break PHP LD versions of CAPTCHA.

Could some one give some idea not the solution !!!!!!

Peeyush Gulati

Clickable captcha (10 replies)

PaPPy — Tue, 08 Jul 2008 15:35:56 -0500

what do yall think of these?
instead of entering the confusing number, just click on it

easy to defeat? im guessing...?

ive made some modifications to the second one

http://6tx.net/sc/form.php
http://6tx.net/sc2/

what do yall think?

Rapidshare's 3D CAPTCHA... (7 replies)

istari — Fri, 04 Jul 2008 09:00:14 -0500

I just noticed this:

Now there's some innovation here: I haven't seen 3D letters + perspective view anywhere else, and even though it's pretty much human readable, I think it'll give bots some very hard work. I for one wouldn't know how to deal with this...

Any ideas? What do you think?

What about this Captcha? (4 replies)

GenericUsername — Fri, 10 Oct 2008 21:57:10 -0500

This (TASvideos) one seems kinda interesting, combining text overlayed on a image, with a random pick the X code with the Y color...

It looks like it could be defeated with a special reader though...

uberBOT (no replies)

rohanpinto — Tue, 29 Apr 2008 18:11:05 -0500

[]

Spiders, title tag parsing, XSS (2 replies)

Ivan — Mon, 07 Apr 2008 13:40:16 -0500

Hello everyone,

I put some html pages on my website with special title tag, with hope that I will find some vulns in some spiders. As I know, spiders doesn`t use urls from title tag, in order to spider that pages ?

Anyway, that title tags look like this:

1.
2.
3. window.location = 'someurl'
4. /img src="javascript:window.location = 'someurl"/

And, two spiders (MSN and accoonabot) visit "someurl", accoonabot with refer from .html page and MSN without any refer. Both of them came from 1st case of title tag.

I`m asking now, is there some vulns in spiders parsing engine ? Is accoonabot redirected with javascript because there is refer or MSN have some vuln in displaying title tag in their "backend" system ?

I now that this test can be better, but I want to hear first yours opinion ...

Thanks,
Ivan

Botnet With Undetected Server 4Sale (2 replies)

programmer_soda — Fri, 21 Mar 2008 11:20:06 -0500

Hey people my name is soda and i just created a new botnet wanted to share it with yall.... my botnet doesn't use irc it has its own client the bots connect too for an example u can use a no-ip.org account incase your ip changes so once your ip changes all u would have to do is enter your new ip in your dns redirects.... commands are apache,http,icmp,udp works great..... if u are interrested in buying my botnet please contact me on msn my msn is Soda_da_pimp@hotmail.com or u can contact me on yahoo my yahoo my id is The_homeless_hacker@yahoo.com heres a pic of the botnet... http://i30.tinypic.com/16joqc1.jpg you will also get the client and 2 undetectable servers for 25$ Western Union..... so if u are interrested please feel free to contact me thanks for your time....

Codetcha (24 replies)

Gareth Heyes — Sun, 30 Mar 2008 15:23:24 -0500

I've just released this today, it's a technical CAPTCHA targeted at high tech audiences like sla.ckers. It still needs some work but I thought it was a interesting concept,

I used code errors as the method because although a computer can parse syntax errors it usually cannot understand the code behind it. Is this easily breakable? I could introduce more randomisation and different code blocks if so.

http://www.thespanner.co.uk/2008/03/17/codetcha/

Yahoo/Hotmail/Google CAPTCHA Extraction (8 replies)

maluc — Tue, 02 Sep 2008 21:11:17 -0500

When it comes time to test and tweak an algorithm, or just to figure out where it's best to begin, it's helpful to have a large sample size to work with. Below are several php scripts I used to extract out and save 1000 CAPTCHA jpegs or wavs from the major email sites. They work very similar, but each one has subtle changes in parsing.

The URL at the top of each file may need updating when you get ready to run it, since the session variable may have expired.

Yahoo (jpeg)
Hotmail (jpeg)
Hotmail (wav)
Google (jpeg)
Google (wav)
PS - For the sake of others, please don't add/modify things in this pastebin.

-maluc

Google captcha spam (4 replies)

Sandokan — Mon, 03 Mar 2008 12:09:59 -0600

Anyone seen this? thoughts?
http://www.websense.com/securitylabs/blog/blog.php?BlogID=174

Help with Bot identification (no replies)

Stowe — Tue, 12 Feb 2008 15:40:39 -0600

Ok so at first I thought we were hit with some sort of penn test software, upon further investigation it looks more like a bot that's hit many a site. Here is a link to the first post I put in XSS: http://sla.ckers.org/forum/read.php?2,20465

If you plug the email address into google you'll find hundreds of sites hit with this that are CAPTCHA vulnerable.. anyone know if this is a common bot?

Thx,

Stowe

Microsoft's Asirra CAPTCHA: my first thoughts: (2 replies)

Jeffuk — Mon, 18 Feb 2008 19:13:26 -0600

http://research.microsoft.com/asirra/

First there's the really really annoying (and illegal, in the UK) fact, that there's no alternative offered for visually impaired users (this could be solved by the implementation, but there's nothing built-in), it also relies on javascript which is also annoying.

I'd also like to see how the 'ticket' system works, and whether a ticket could be used more than once, etc. I think the devil here is in the web site's implementations.

ALSO.. the 'adopt me' link takes you to a page about the animal in question... this could be used to index the entire database in... assuming one hit per second (zombienet with a dead-drop database somewhere) you're looking at 3,000,000/360 hours ~833 hours to index the database in it's entirety... and indexing even 25% of the database allows you to keep refreshing the selection until you hit 6 you recognise with fairly high reliability.

An interesting CAPTCHA (3 replies)

GenericUsername — Sun, 30 Dec 2007 14:44:05 -0600

From http://stonerocket.net, one of those generic free hosts that make you post.
Basically, it involves distinguishing animals(mostly cats) from objects through the use of radio boxes. It is quite an interesting idea, it uses many images and seems like a computer would not be able to tell unless every image was found and marked as what each type was. The image file names change randomly with the session ID too, but that would not stop a smart bot...

It was an interesting idea anyway.

Month of Bugs in Captchas (no replies)

MustLive — Mon, 22 Oct 2007 19:12:09 -0500

Hello guys!

Informing you about my new project which I announced at last week (http://websecurity.com.ua/1461/).

The time has come for announcement of my new project - Month of Bugs in Captchas. This project will start next month. So November is a month of bugs in Captchas ;-) .

There are a lot of different Captcha systems in Internet and a lot of them are vulnerable. Captchas create only illusion of protection. The purpose of this Month of Bugs is to demonstrate the real state of Captchas’ security, which are using at many web site.

In November 2007 there will be Captchas Apocalypses. A lot of Captchas will be hacked to death. They will die to reborn into new more secure Captchas. The time has come.

Address of the project: http://websecurity.com.ua/category/mobic/

free captcha solving service... (9 replies)

istari — Tue, 23 Oct 2007 19:34:06 -0500

OK, so I found this site, which weirdly enough offers free CAPTCHA solving services. Has anybody heard of it? Does somebody know what's behind the site (proxy, ocr software, etc)? Is it even real, or is it a hoax of some sorts?

Anyway, they say they do it for blind people (and assure you that they don't allow spammers to use their service), and yet they offer an API which would be really handy if one wanted to completely automate the service in order to send spam...

What do you think?

NOTE: I'm not related in any way to this site: just curious about how this works, where's their profit, and how good they are...

Storm Botnet? (8 replies)

citizen535400 — Wed, 10 Oct 2007 17:50:41 -0500

Hi,

I'm very new to this site, and to web security in general. The thing that's really making me curious about this is the storm botnet... It's getting a lot of coverage and baffles me. I read a bit about it on Slashdot, F-Secure, and Wikipedia, but was wondering if there's any detailed information / research / whatever about this that is available? Any help would be appreciated.

Thx.