11

So, this incident happened with me around 2 years ago. I was pentesting one of my client's web application. They were new into the Financial Tech Industry, and wanted me to pentest their website as per couple of standards mentioned by them.

One of the most hilarious bug that I found was at the login page, when a user tries logging into an account and forgets the password, a Captcha image is shown where the user needs to prove that he is indeed a human and not a robot, which was fair enough to be implemented at the login screen.

But, here's the catch. When I checked the "view source" option of the web page, I saw that the alt attribute of the Captcha image file had the contents of the Captcha. Making it easy for an attacker to easily bruteforce the shit outta the login page.

You don't need hackers to hack you when your internal dev team itself is self destructive.

Comments
  • 2
    What in all possible fuckups?
  • 2
    @filthyranter the attacker could simply write a Python script to take the values from the alt attribute and put it into the Captcha text field.
    And once this process gets automated, then it's just the matter of time and computation power to crack the password.
  • 1
    @nikchillz I understood that part, but how could a dev fuck up this badly?
  • 0
    Well, you need good SEO. 😛
Add Comment