Kwelwild Posted April 11, 2013 Report Posted April 11, 2013 Description: Impersonating CAPTCHA ProvidersreCAPTCHA and other CAPTCHA service providers validate millions of CAPTCHAs each day and protect thousands of websites against the intertube bots. A secure CAPTCHA generation and validation ecosystem forms the basis of the mutual trust model and large scale damage can happen if any component of this ecosystem is compromised.The presentation explains third party CAPTCHA provider integration and discusses vulnerabilites that affect almost every CAPTCHA provider including reCAPTCHA. These vulnerabilites can be exploited to impersonate CAPTCHA providers and bypass the protection offered by CAPTCHA providers. A signature based tool clipcaptcha will be demonstrated which can be used to impersonate CAPTCHA providers and to bypass CAPTCHA provider protection. clipcaptcha's operational modes will also be demonstrated.Gursev Singh Kalra serves as a Principal Consultant with Foundstone Professional Services, a division of McAfee. Gursev has done extensive security research on CAPTCHA schemes and implementations. He has written a Visual CAPTCHA Assessment tool, TesserCap that was voted among the top ten web hacks of 2011. His OData research and CAPTCHA Re-Riding attacks were voted among top ten web hacking techniques of 2012. He has also developed open source SSL Cipher enumeration tool SSLSmart, OData assessment tool Oyedata and CAPTCHA Provider Impersonation Tool ClipCaptcha. He has spoken at conferences like BlackHat, ToorCon, OWASP, NullCon, Infosec Southwest, etc.Sursa: http://www.securitytube.net/video/7308 Quote
