Introduction
There are many ways of attacking a website like SQL injection, by injecting script, Session hacking etc. And you'll get lot of articles at CodeProject about this. In this article, I am trying to explain the use of CAPTCHA (I am not going to explain what CAPTCHA is ... search it on CodeProject or Google if you have not implemented it.) to avoid registration of dummy users to your database by a computer program. Using a simple example, I'll explain how any program can register thousands of dummy users to your database and play with your database and application performance.
A sample application which can spoil your website:
Here we are going to create a Windows application and execute out a test. We'll use classic COM AxSHDocVw.AxWebBrowser
control, along with MSHTML which provides Internet Explorer with complete HTML Document Object Model parsing.
In this example, we are using the following Windows ActiveX objects.
You can find them in your �windows/system32� directory.
Steps we are going to perform:
- Step 1 - Grab the registration page using the WebBrowser Control.
- Step 2 - Using MSHTML we can locate various form fields of the registration page.
- Step 3 - Generate random fields.
- Step 4 - Submit the field values to the website for registration.
and we are going to repeat step 3 and 4 infinite times :)
Let us assume that a website is having a registration form with the following text fields.
- UserId
- First Name
- Last Name
- Password
- Confirm Password
And a Submit button. Find the IDs of each field. Open the registration page in your normal browser and using View Source find the ID of each field.
Now let us go to the coding part of this application.
Load the registration page to the WebBrowser at the form load.
private void Form1_Load(object sender, System.EventArgs e)
{
string url="http://localhost:8181/TestApplication1/Registration.aspx";
Object o = null;
WebBrowser1.Navigate(url, ref o, ref o, ref o, ref o);
}
Now execute the code to register infinite users.
private void btnRegisterClick_Click(object sender, System.EventArgs e)
{
mshtml.HTMLDocument obj;
string tempGuid,userId,firstName,LastName,password=string.Empty;
while(true)
{
try
{
tempGuid=System.Guid.NewGuid().ToString();
userId=tempGuid.Substring(0,9);
firstName=tempGuid.Substring(3,12);
LastName=tempGuid.Substring(11,10);
password=tempGuid.Substring(10,8);
obj=(mshtml.HTMLDocument)WebBrowser1.Document;
obj.getElementById("txtUserId").innerText=userId;
obj.getElementById("txtFirstName").innerText=firstName;
obj.getElementById("txtLastName").innerText=LastName;
obj.getElementById("txtPassword").innerText=password;
obj.getElementById("txtConfirmPassword").innerText=password;
obj.getElementById("btnSubmit").click();
}
catch
{
}
}
I think the code above is self explanatory.
Let�s come to the solution part
To avoid this type of attacks on our website we need to allow only human users for registration not a computer program. The best approach for this is to write distorted text on the fly to an image and let the registrant identify the text written on the image so that every human can read that text. It�s very hard to read a distorted text written on an image by a computer application as explained above.
A vulnerable registration form.
More secured registration form.
To know more about CAPTCHA, you can browse The CAPTCHA Project. And to implement CAPTCHA in your web application, you can take the help of various articles published at CodeProject about CAPTCHA.
Conclusion
By this article, I just want to show that we should consider such small things to avoid big disasters later.