The verification code is one of the techniques commonly used in the Internet and is known in short as CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart). In many cases, introducing the verification code can effectively stop automated replay behaviors.
Some verification codes are easy to identify, while some are difficult. The CAPTCHA was developed to distinguish people from machines. However, it is difficult to identify by people if the design of the verification code is too complicated, so the verification code is a double-edged sword. Where there is a verification code, there are cracking techniques. Apart from the relevant image algorithm to identify verification codes, the loophole of web implementation that may exist is helpful in cracking the verification code. Because code verification is to confirm whether the plaintext a user submits is consistent with the server-side validation code saved in plaintext in the session, there used to be a loophole in the former verification system: The session ID was not updated after the verification code was used, so that the old session ID could repeatedly submit the same verification code:
POST /vuln_script.php HTTP/1.0
The package could be repeatedly sent without worrying about code problems before the session ID became invalid.
The pseudocode of this question is similar to the following:
if form_submitted and captcha_stored != ""and captcha_sent = captcha_ stored then process_form();
Fixing this is easy:
if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then captcha_stored=""; process_form();
There is another verification code implementation, that is, all the pictures of the verification code are generated in advance, and then a string is used as the name of a verification image file. When we need the verification code, the generated code will be returned directly from the image server. The original idea of this design was to improve performance.
But there is a flaw in matching the filenames for the verification code. The attackers can use enumeration through all the CAPTCHA images in advance and establish the relationship between the plaintext and the verification code to form a rainbow table, which will make the verification code useless. The filenames of the code should be randomized to meet the unpredictability principle.
With advances in technology, the cracking methods for verification codes have become increasingly sophisticated in algorithms. Verification codes, however, are recognizable using certain image-processing technologies.