Using Automated tools for scanning CAPTCHA protected forms

808 views
Skip to first unread message

Ravi Pandey

unread,
Jun 19, 2013, 7:05:43 AM6/19/13
to null-...@googlegroups.com
Dear Friends,

I am trying to scan a form protected with CAPTCHA with tools like SQLMAP and Intruder in burpsuite. But as the CAPTCHA expires after the first request send by the tool so i am not able to scan it properly.

Is there any way to scan forms protected with CAPTCHA

---

Thanks & Regards
Ravi pandey

http://securityexplorer.blogspot.in/


“Don’t believe what your eyes are telling you. All they show is limitation"


On Tue, Jun 18, 2013 at 4:41 PM, <null-...@googlegroups.com> wrote:

Group: http://groups.google.com/group/null-co-in/topics

    Vikas Singhal <vikas.pr...@gmail.com> Jun 18 04:01PM +0530  

    I understand the difference between these two flag necessary for cookie
    protection. What I am not able to figure out is; if the server is using
    Secure flag does it imply HTTPOnly by default or you have to use both the
    flags together.
     
    Someone, please clarify this.
     
     
    Regards,
    Vikas

     

    Anant Shrivastava <ant2...@gmail.com> Jun 18 04:08PM +0530  

    secure just says send only over secure channel
    httponly says do not make it available for DOM
     
    you need to specify both.
     
    -Anant
     
    On Tue, Jun 18, 2013 at 4:01 PM, Vikas Singhal

     

    Swift Forensics <swiftfo...@gmail.com> Jun 18 11:24AM +0530  

    Just block the IP for a few hours (or days), plain and simple. As a
    courtesy, you may try to inform the owner (if you can identify him) about
    it. I've seen cases when computers were hacked and used as zombies and the
    computer owners never knew, its quite common, a smart hacker never uses his
    own IP.
     
    You won't get any help from ISP unless you go to them with a police
    complaint and /or court order. Trying to contact CERT and other agencies
    for a small simple matter like this will be a waste of everyone's time and
    you are unlikely to see any action unless the web app belongs to say Robert
    Vadra! Now depending on the severity of the attacks and any impact that has
    already occured, (not hypotheticals like if it did get hacked then ..), you
    may still want to file a complaint and go that route!
     
    Any web app exposed to the internet is going to get hammered from time to
    time by all kinds of attack vectors, just learn to live with it and design
    your own blocking rules. However don't go overboard with the idea as it can
    be disastrous if not implemented properly. There are plenty of guides
    available on the net for this.
     
    Yogesh Khatri
    www.swiftforensics.com
     
     

     

    Yodha S <y0dh...@gmail.com> Jun 18 11:35AM +0530  

    If jt is wordpress there are plenty of plugins to help you blacklist the ip.
    If its a custom development try to throttle your requests AND check for 404
    and 500 errors in a particular time period etc...
    +1 to swiftforensics answer very well put. Don't panic at an early stage
    ...
    On Jun 18, 2013 11:28 AM, "Swift Forensics" <swiftfo...@gmail.com>
    wrote:
     

     

    Rogue Bull <r09u...@gmail.com> Jun 17 11:53PM -0700  

    Blocking an IP most often is not a solution as there could be potential
    potential customers/ legitimate visitors behind that IP. In this IP scarce
    world most users access the internet through a Natted IP.
    A practical solution would be to employ a WAF. Incapsula WAF is a SaaS
    offering and works better than cloudflare. They offer free service for
    <50GB/month bandwidth.
     
    On Monday, June 17, 2013 12:07:31 PM UTC+5:30, Cyb3r0ximoron wrote:

     

    Rogue Bull <r09u...@gmail.com> Jun 17 11:55PM -0700  

    If you are a total control freak then you might also want to experiment
    with modSecurity's core rule set. However there have been bypasses of it
    available in public.

     

    nithin kumar <nith...@gmail.com> Jun 18 10:33AM +0300  

    Thank you for the inputs.
     
    I Know we cannot stay completely secure, and attacks keep happening now and
    then, despite of any hardening, waf and other controls.
    My specific doubt was working as a team up with ISP/CERT,
     
    I havent tried doing it anyway, If iam not wrong, But as per the context of
    our discussion, the overall security bodies wont be bothered to put any
    action on it, unless its making any critical damage to us, which also
    follows the traditional method of filing complaint and approaching them
    with our articrafts.
     
    Govt should come up with some methods to closely work with info sec people
    or with null, Its more of a team work than one man army, Just a opinion .
     
    Kudos, Thank you guys. :)
     
     

     

    HAREN BHATT <hcb...@gmail.com> Jun 18 01:19PM +0530  

    My Views :
     
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
     
    - Follow the IR handling policy and producer in place. If not - Get an
    approval from your management for creating one -(Long term planing.)
     
    - Report this to the attackers ISP - In turn they might ask for evidence
    (Look into your IS polices and get an written approval from your management
    for sharing the logs)- If the management denies sharing the data(you can
    always hide the target IP/URL).
     
    - Might also share the attacker IP(only) with other internet community like
    SANS and Dshield - Which will help you to gather more information about the
    attack - ie: is this a targeted attack(with a moto) or an general attack .
     
    - Add the attacker IP with servirity 5 on your SIEM tool and set trigger on
    the IPS .
     
    - Look for IOC's on the target systems.
     
    - Look for unusual incident reported to help desk for the same network
    segment.
     
    *Last but not the least - it would be helpful for all of us if you can
    share the attackers IP(Some one from this forum might help you with more
    info). *
     
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
     
     
     
     
    --
     
    *Haren*
     
     
     
    Haren Bhatt |
     
    |
     
    *hcb...@gmail.com* |
     
    http://security-culture.blogspot.com/
     
     
     
    *"We Have A Culture Of Security."*
     
    *NOTICE*: This communication is meant only for the addressee(s) named above
    and may contain information which is and/or legally privileged. If you are
    not the named addressee(s), or the agent responsible for receiving and
    delivering this communication to the named addressee(s), this communication
    has been sent to you in error, please notify the sender and delete all
    copies. If so, kindly contact us immediately for retrieval purposes.
    Unauthorized dissemination, distribution, copying or reliance on this
    communication is prohibited and may attract criminal penalties.*
    For privacy reasons all the addressee(s) may be hidden.*

     

    Rogue Bull <r09u...@gmail.com> Jun 18 12:13AM -0700  

    I have used Nessus. It has very few false positives and does a good job. I
    use the filter feature in nessus quite frequently to send out relevant
    reports to different teams. I havent used QualysGuard but it is a very good
    product too for larger deployments.
     
    This might offer you some insight :
    http://www.redcardsecurity.com/pages/resources_files/MarketScope.pdf
     
    On Saturday, June 15, 2013 4:07:24 PM UTC+5:30, seven wrote:

     

    ashish kamble <technical...@gmail.com> Jun 17 10:57PM +0530  

    Hello Null,
     
    I have pulled out private keys from a hardware switch, what i believe is a
    potential vulnerability. Wanted to know how i can make use of these private
    keys or certificates and also if i can test it.
     
     
    Thanks and Regards,

     

    webDEViL <w3bd...@gmail.com> Jun 17 11:09PM +0530  

    To assess the impact, you will have to see if the same private key is
    available on other such devices.
     
     
    On Mon, Jun 17, 2013 at 10:57 PM, ashish kamble <
     
    --
    Regards,
    webDEViL
     
    http://twitter.com/w3bd3vil

     

    ashish kamble <technical...@gmail.com> Jun 17 11:21PM +0530  

    @Webdevil
     
    I didnt understand what your trying to explain...The firmware i have is for
    a complete series of a particular device range...please let me know what i
    should check
     
     
     

     

    webDEViL <w3bd...@gmail.com> Jun 17 11:33PM +0530  

    If you are picking up the keys from the raw binary than that indicates use
    on other devices as well. I mainly asked the question to make sure those
    are not private keys being generated on a device setup etc. which basically
    would mean everyone has a different private key.
    It's hard to say on what all you can do with it, but you'll have to figure
    out what those are used for.
     
    If say,
    SSH based access is granted on those keys, then you can generate keys and
    login on all such devices.
    this is used for Code Signing, you can put executable code signed by the
    vendor.
    etc.
     
     
     
    On Mon, Jun 17, 2013 at 11:21 PM, ashish kamble <
     
    --
    Regards,
    webDEViL
     
    http://twitter.com/w3bd3vil

     

    eQuiNoX <equinox....@gmail.com> Jun 18 07:29AM +0530  

    In the event that keys are generated on the device, you should check if
    they are weak keys by trying to obtain multiple private keys and trying to
    do a group GCD on them. There is a 22C3 talk that discusses this
    approach(amongst others) in detail. The idea was that, low computation
    power might lead to bad seeding which leads to weak keys.
     
    -- eq
     
     

     

    ashish kamble <technical...@gmail.com> Jun 18 10:24AM +0530  

    The keys are present it the firmware which i picked from the site itself
    ...Its for a particular device series..I guess all the devices of that
    series will use same firmware....Also there was a previous vulnerability
    with same firmware version where by the credentials were hard coded...
     
    AeQuiNoX: it would be great help if you provide me the link....
     
     

     

    ashish kamble <technical...@gmail.com> Jun 18 11:18AM +0530  

    Also can anybody help me on how to emulate the firmware ...so may be i
    could test the firmware actually...
    may be then the actuall use of keys can be revealed
     
     
     
    On Tue, Jun 18, 2013 at 10:24 AM, ashish kamble <

     

    praveen kumar <prvnk...@gmail.com> Jun 17 11:43AM -0700  

    Hello,
     
    Now a days in Facebook we can see a lady with red dress holding axe.
     
    It says.
     
    [What a Horror], jokingly she lost control of the sharp axe while drunk and
    axed herself!!.....watch it here:http://tinyurl.com/kjhxl5e/
    ?cid=51b0144660dd6
     
    However when we click nothing loads for some time. I am suspicious and
    closed my browser and checked at Virus Total. Zero detection's found.
     
    Can some one analyze this URL?

     

    prajwal panchmahalkar <panchmahal...@gmail.com> Jun 17 01:49PM -0500  

    Check the source code and look for the scripts in action.
     
     
     
    --
    ==================
    Prajwal Panchmahalkar
    ==================
    C|EH, AFCEH
    Development Lead| Matriux
    Penetration Testing and Forensic Distribution
    <http://www.matriux.com/>
    --------------------------------------
    Research Assistant | Cyber Security, Critical Infrastructure.
    Texas Tech University

     

You received this message because you are subscribed to the Google Group null-co-in.
You can post via email.
To unsubscribe from this group, send an empty message.
For more options, visit this group.

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Yodha S

unread,
Jun 19, 2013, 7:13:42 AM6/19/13
to null-...@googlegroups.com

The whole aim of CAPTCHA is to block automation

Dr. Nanda Kumar R

unread,
Jun 19, 2013, 3:23:04 PM6/19/13
to null-...@googlegroups.com, null-...@googlegroups.com
Hi, 
If you are run in QA you can disable captcha requesting your dev team

Other way, you can whitelist your ip such that captcha do not occur for that ip.


Best,
Dr Nanda

Sent from my iPhone
Reply all
Reply to author
Forward
0 new messages