Kingdom: Environment

This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

Insecure Deployment: Known CAPTCHA Fingerprint

Universal

Abstract

Use of insecure CAPTCHA implementations can allow attackers to bypass anti-automation protections.

Explanation

CAPTCHAs are commonly used by web applications to prevent automated form submissions that can have an adverse effect on their operation. Poorly written CAPTCHA implementations can provide a false sense of security. Attackers can fingerprint for implementations with known vulnerabilities and use this information to bypass an application's anti-automation protections. CAPTCHA implementations can be identified by:
1. Matching against known client-side code patterns. For instance, HTML tags and attributes with specific values.
2. Matching against textual content identifying the CAPTCHA implementation

Example 1: Powered by Animated Gif Captcha
3. Matching against references to known resources and image files

References

[1] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security

[2] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management

[3] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management

[4] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services

[5] Standards Mapping - Web Application Security Consortium Version 2.00 Fingerprinting (WASC-45)

desc.dynamic.xtended_preview.insecure_deployment_known_captcha_fingerprint