We've recently started using the user-friendly website captcha sweet-captcha on our websites. After a recent round of security audits we found a potential vulnerability.
This vulnerability allows an attacker to circumvent the captcha indefinitely after one successful solve.
I've tried contacting the captcha creators regarding this but have not had any response. I am posting here primarily in the hope that my implementation is incorrect and as such a more secure alternative is immediately available.
The captcha is included in our pages, as per the documentation:
<?php echo $sweetcaptcha->get_html() ?>
Most of our websites are DHTML to avoid reloading which is what made us aware of the security issue as follows:
Someone solves the captcha and submits an ajax request to our php web service which includes the necessary captcha keys.
The web service validates the captcha as per the documentation (see $sweetcaptcha->check below), performs some work and then returns its response to the front end.
As the front end is not refreshed, and thus the captcha remains solved, it has become apparent that the same captcha keys can be used again to make as many requests as desired following an initial successful solve.
To solve this security problem we believe the following step should be occurring:
Invalidate the captcha response in the php web service to prevent an individual using the same captcha tokens more than one, e.g. if a call too:
$sweetcaptcha->check(array('sckey' => $_POST['sckey'], 'scvalue' => $_POST['scvalue']))
returns true, it should return false on all subsequent evaluations using the same parameters. That is not happening. Even though we could implement our own backend solution to prevent duplicate validations this would be best solved in the captchas existing code if it should be the case.
If anyone could advise on the above issue that would be greatly appreciated.
Related
Actually this is not a code problem but security problem.
I've got an email from stranger that contain about what he's done to my website.
I don't how he do it but there are proof showing he can get the api and the parameter when clicking button by burpSuite apps
is there anyway to protect website from this checking ?
Please prevent CRSS attack. Can follow the link- https://brightsec.com/blog/cross-site-scirpting-prevention/
I have an application where a container app loads site <inner-site>.com in an iframe. All the ajax calls in the iframe fails due to bad request. This was due to ajax calls not having _csrf cookie in the request. For some reason, iframe doesn't have the identity cookies at-all.
Problem mentioned here: https://gist.github.com/iansltx/18caf551baaa60b79206 and the proposed solution was to remove the same-site requirement for identity cookies. That didn't sound like a good plan.
Then, I found more elegant way to share cookies between sites here: https://gist.github.com/iansltx/18caf551baaa60b79206
I liked the solution since the client and server work together and I could limit who to trust from <inner-site>.
This solution also worked on localhost which was awesome since we have been trying to fix this issue for weeks by now.
However, after deploying the change to the prod, it no longer worked. Not sure what might be causing this issue or if the limitations were more relaxed in localhost that it worked fine.
I'm looking for help figuring out either
why the solution above didn't work for the real server
or if there's another solution for this problem.
I'm using Yii2 but any solution should be applicable. Mentioned Yii2 to see if it might be enforcing some extra limitation or if it has some utility to fix this issue easier.
I am performing a security scan using owasp, which detects a slq injection vulnerability.
When I run it from my Firefox browser monitored with owasp from the HUD and selecting the replay in Borwser option, it
redirects me to a page like this
https://myweb.app/login.php?zapHudReplaceReq=4eca1e78-2bcf-4621-a471
where I can see the session cookie.
The problem is that when I try to run in my browser without owasp's HUD to recreate the attack, the injection doesn't work, it doesn't show me any sql error or anything.
I hope someone can help me please.
The request method is POST through the parameter
pass = myvalidpassword% 27 + AND +% 271% 27% 3D% 271% 27 + - +
so i try to do sql injection but it doesn't work, and i don't know why. Does any boby have an idea?
somebody kwnos how works the zapHudReplaceReq
If you need more information coment in the post.
The ZAP HUD does all sorts of nasty things in order to implement its features I'm afraid :) The zapHudReplaceReq is an internal mechanism that relates to how ZAP works and is unrelated to either you application or the potential SQL injection vulnerability.
You are right to try to reproduce the vulnerability manually and without the HUD, but focus on the details that are in the alert rather than any interactions with the HUD. Make sure you read all of the information in the alert, it should explain why this specific attack appeared to cause problems.
Thanks for the answer.
I have already encountered the problem and it was that when I sent the "wicked request" to the server via the input box, the frontend was modifing the parameters.
So the problem was that special characters were removed from my request, I solved the problem by intersecting traffic and injecting the"evil request" from the raw request.
I also had to modify the request by encoding it with a url encoder that i found on this site
https://www.urlencoder.org/
So I got something like this
pass=mypass% 27 + Y +% 271% 27% 3D% 271% 27 + - +
And so I was able to reproduce the attack and do the injection.
I have a website protected by basic auth, so when someone hits it, they get a standard username/password box. This website is accessed often from shared computers.
Is there any way to prevent the various "Remember my Credentials" functionality on browsers? I would like to prevent any browser from saving this username/password in any client-side repository.
I realize this is purely a function of the browser, but is there any commonly-accepted HTTP header or any other method of asking a website not to do this?
The answer is no. I'm really sorry but even if you could do this how would you stop an independent add-in from scraping web sites for username and password boxes and then storing that information.
Even if this were possible in code it could be easily circumvented by simply ignoring any directives you give. Thus rendering such headers pointless.
As stated before it is not possible to circumvent a browser feature it could easily save the credentials before it sent the POST thus stopping anything on the server from preventing it being cached.
I'm implementing a voting system like Stackoverflow's. How can I implement this so it is hack proof?
I've got some PHP that does database work according to the ajax request sent after the javascript parses it. Would doing a query to check the current vote state of a user be enough to avoid unauthorised votes?
It is definitely possible to implement pretty reliable solution. But this must be done server-side.
Basic rule of security: you don't trust client data.
Move all your checks to PHP and make your javascript as dumb as
$(".vote").click(function(e) {
$.post('/vote.php', vote_data, function(result) {
// update UI according to returned result
}
}
It's a common thing, however, to still do checks on the client, but as a way to improve usability (mark required form fields that weren't filled) or reduce server load (by not sending obviously incomplete data). These client checks are for user's comfort, not for your security.
Answering to your updated question:
If you store full log of when which user voted for which question, then yes, it's pretty easy to prevent multiple voting (when user can vote for the same thing several times). Assuming, of course, that anonymous votes are not allowed.
But if you have a popular site, this log can get pretty big and be a problem. Some systems try to get away by disabling voting on old articles (and removing corresponding log entries).
What if someone intentionally tries to hack me?
There are different types of attacks a malicious user can perform.
CSRF (cross-site request forgery)
The article lists some methods for preventing the attack. Modern Ruby on Rails has built-in protection, enabled by default. Don't know how it is in PHP world.
Clickjacking
This attack tricks users into clicking on something what isn't what they think. For example, they may click "Play video", but the site will intercept this click and post on user's wall instead.
There are some articles on the Web as well.
Wiki on clickjacking
5 ways to prevent clickjacking
Javascript to prevent clickjacking
NOTE: THIS IS AN ANSWER TO THE ORIGINAL QUESTIONDon't downvote it just because the OP radically changed his question.
It's a huge error even just thinking of relying on browser-side components to enforce application logic. Javascript should be used, in untrusted environments, exclusively for presentation purposes.
All application logic should be implemented, validated and enforced server-side.