Muhammet Taha YILDIRIM
Top achievements
Rank 1
Rank 1
Muhammet Taha YILDIRIM
asked on 28 Jan 2011, 11:01 AM
I have an information form that is validated via captcha in my web application which is really important for me.
Captcha's default source link is like this: (mydomain/Telerik.Web.UI.WebResource.axd?type=rca&guid=e0616d29-d122-4be0-9b0f-bd6676a0c15c)
if one of xss attack makes some changes on requested parameter "guid", an empty image returns, and RadCaptcha.isValid is set to false, ok, but if requested parameter "guid" is set to empty or space character, captcha returns empty and RadCaptha.isValid is set to TRUE.
Example source: (mydomain/Telerik.Web.UI.WebResource.axd?type=rca&guid= )
any ideas? thanks.
Captcha's default source link is like this: (mydomain/Telerik.Web.UI.WebResource.axd?type=rca&guid=e0616d29-d122-4be0-9b0f-bd6676a0c15c)
if one of xss attack makes some changes on requested parameter "guid", an empty image returns, and RadCaptcha.isValid is set to false, ok, but if requested parameter "guid" is set to empty or space character, captcha returns empty and RadCaptha.isValid is set to TRUE.
Example source: (mydomain/Telerik.Web.UI.WebResource.axd?type=rca&guid= )
any ideas? thanks.
3 Answers, 1 is accepted
0
Hello Muhammet,
It is not possible to bypass the Captcha security by simply changing the guid key of the QueryString. The guid is used to get the correct image from the Server Cache or Session, so it can be shown to the user. It does not contain any information about the code displayed on the image. To show this, I have created a sample project, that replaces the guid value with an empty string using javascript and loads a new Literal control if the Captcha security was bypassed. Please find it attached to the thread.
Could you please send us the problematic page with the RadCaptcha control?
Greetings,
Pero
the Telerik team
It is not possible to bypass the Captcha security by simply changing the guid key of the QueryString. The guid is used to get the correct image from the Server Cache or Session, so it can be shown to the user. It does not contain any information about the code displayed on the image. To show this, I have created a sample project, that replaces the guid value with an empty string using javascript and loads a new Literal control if the Captcha security was bypassed. Please find it attached to the thread.
Could you please send us the problematic page with the RadCaptcha control?
Greetings,
Pero
the Telerik team
Browse the vast support resources we have to jump start your development with RadControls for ASP.NET AJAX. See how to integrate our AJAX controls seamlessly in SharePoint 2007/2010 visiting our common SharePoint portal.
0
Muhammet Taha YILDIRIM
Top achievements
Rank 1
Rank 1
answered on 12 Feb 2011, 07:43 PM
Hello, thanks for your reply.
I have changed validation tag only in your attached project. Can you check the code linked below and click the "Validate Code" button? Form validates directly.
I have forgotten validation tag in my form but RadCaptcha must not be valid without writing the right letters.
Thanks.
http://www.mty.gen.tr/246342_CaptchaTestPage.rar
I have changed validation tag only in your attached project. Can you check the code linked below and click the "Validate Code" button? Form validates directly.
I have forgotten validation tag in my form but RadCaptcha must not be valid without writing the right letters.
Thanks.
http://www.mty.gen.tr/246342_CaptchaTestPage.rar
0
Hi Muhammet,
In the sample project from your last post, the RadCaptcha control does not have any ValidationGroup set, while the ASP.NET Button has ValidationGroup="Group". This means that clicking the button will not trigger the Captcha validation, and the RadCaptcha.IsValid will always be true. Setting the same ValidationGroup to the Captcha, will make sure that the validation will occur:
The ASP.NET Validators have their IsValid property set to true by default.
Greetings,
Pero
the Telerik team
In the sample project from your last post, the RadCaptcha control does not have any ValidationGroup set, while the ASP.NET Button has ValidationGroup="Group". This means that clicking the button will not trigger the Captcha validation, and the RadCaptcha.IsValid will always be true. Setting the same ValidationGroup to the Captcha, will make sure that the validation will occur:
<telerik:RadCaptcha ID="RadCaptcha1" runat="server" ErrorMessage="Invalid Code" ForeColor="Red" ValidationGroup="Group"></telerik:RadCaptcha><asp:Button ID="Button1" runat="server" Text="Validate Code" ValidationGroup="Group" OnClick="Button1_Click" />The ASP.NET Validators have their IsValid property set to true by default.
Greetings,
Pero
the Telerik team
Browse the vast support resources we have to jump start your development with RadControls for ASP.NET AJAX. See how to integrate our AJAX controls seamlessly in SharePoint 2007/2010 visiting our common SharePoint portal.