摘要
全自动区分计算机和人类的图灵测试(CAPTCHA)俗称验证码(VC),提供了一种自动区分人和机器的手段,已经成为保障系统安全的一种安全标准配置。针对验证码的本质特性、生成机制及其运行机理等方面的问题进行深入研究,发掘出系统验证码存在可绕过漏洞。该漏洞可以直接绕过验证码的验证机制,使得各种看似复杂安全的验证码防护如同虚设,验证码的破解率可达100%,但是该漏洞的存在率还无法确定。首先分析系统结构及登录请求参数;然后模拟登录获取系统登录所需验证码;最后编写脚本程序利用已获得的验证码对系统进行暴力破解。结合实际系统应用,验证了存在此漏洞的可用性与危害性。最后给出了系统验证码安全架设和安全编码的全新策略。
Completely Automated Public Turing test to tell Computers and Humans Apart( CAPTCHA),also known as Verification Code( VC),which provides a means for automatically distinguishing between human and machine,has become a standard configuration for system security.Focusing on the problem of essential characteristics,operational mechanism and generative mechanism of CAPTCHA,the CAPTCHA system was explored out existing a bypass vulnerability.The verification mechanism of CAPTCHA could be directly bypassed so that all kinds of robust CAPTCHAs were just rubber stamps.The crack rate of CAPTCHA could be 100%,but the existence was not determined.Firstly,system structure and request parameters for login were analyzed.Then,the CAPTCHA required for system login was obtained by simulating login.Finally,the system was cracked by a script program with the obtained CAPTCHA.With the practical application,the availability and harmfulness of the vulnerability was verified.In the end,new strategies were presented for system security framework and programming.
出处
《计算机应用》
CSCD
北大核心
2016年第A01期37-41,57,共6页
journal of Computer Applications
基金
国家自然科学基金资助项目(61402397)
云南省软件工程重点实验室开放基金重点资助项目(2015SE103
2015SE201)
