Captcha Security Alert

4 posts, 0 answers
  1. Muhammet Taha YILDIRIM
    Muhammet Taha YILDIRIM avatar
    2 posts
    Member since:
    Sep 2012

    Posted 28 Jan 2011 Link to this post

    I have an information form that is validated via captcha in my web application which is really important for me.
    Captcha's default source link is like this: (mydomain/Telerik.Web.UI.WebResource.axd?type=rca&guid=e0616d29-d122-4be0-9b0f-bd6676a0c15c)

    if one of xss attack makes some changes on requested parameter "guid", an empty image returns, and RadCaptcha.isValid is set to false, ok,  but if requested parameter "guid" is set to empty or space character, captcha returns empty and RadCaptha.isValid is set to TRUE.

    Example source: (mydomain/Telerik.Web.UI.WebResource.axd?type=rca&guid= )

    any ideas? thanks.
  2. Pero
    Admin
    Pero avatar
    1156 posts

    Posted 28 Jan 2011 Link to this post

    Hello Muhammet,

    It is not possible to bypass the Captcha security by simply changing the guid key of the QueryString. The guid is used to get the correct image from the Server Cache or Session, so it can be shown to the user. It does not contain any information about the code displayed on the image. To show this, I have created a sample project, that replaces the guid value with an empty string using javascript and loads a new Literal control if the Captcha security was bypassed. Please find it attached to the thread.

    Could you please send us the problematic page with the RadCaptcha control?

    Greetings,
    Pero
    the Telerik team
    Browse the vast support resources we have to jump start your development with RadControls for ASP.NET AJAX. See how to integrate our AJAX controls seamlessly in SharePoint 2007/2010 visiting our common SharePoint portal.
  3. UI for ASP.NET Ajax is Ready for VS 2017
  4. Muhammet Taha YILDIRIM
    Muhammet Taha YILDIRIM avatar
    2 posts
    Member since:
    Sep 2012

    Posted 12 Feb 2011 Link to this post

    Hello, thanks for your reply.

    I have changed validation tag only in your attached project. Can you check the code linked below and click the "Validate Code" button? Form validates directly.

    I have forgotten validation tag in my form but RadCaptcha must not be valid without writing the right letters.

    Thanks.

    http://www.mty.gen.tr/246342_CaptchaTestPage.rar
  5. Pero
    Admin
    Pero avatar
    1156 posts

    Posted 15 Feb 2011 Link to this post

    Hi Muhammet,

    In the sample project from your last post, the RadCaptcha control does not have any ValidationGroup set, while the ASP.NET Button has ValidationGroup="Group". This means that clicking the button will not trigger the Captcha validation, and the RadCaptcha.IsValid will always be true. Setting the same ValidationGroup to the Captcha, will make sure that the validation will occur:
    <telerik:RadCaptcha ID="RadCaptcha1" runat="server" ErrorMessage="Invalid Code" ForeColor="Red"
        ValidationGroup="Group">
    </telerik:RadCaptcha>
    <asp:Button ID="Button1" runat="server" Text="Validate Code" ValidationGroup="Group"
        OnClick="Button1_Click" />

    The ASP.NET Validators have their IsValid property set to true by default.

    Greetings,
    Pero
    the Telerik team
    Browse the vast support resources we have to jump start your development with RadControls for ASP.NET AJAX. See how to integrate our AJAX controls seamlessly in SharePoint 2007/2010 visiting our common SharePoint portal.
Back to Top