|
|
Posted by Gordon Burditt on 09/21/06 01:00
>Let's say we're trying to keep blog and forum spammers out
>of our site--we're not trying to protect fort knox.
>
>1) Step one is a one-time-only step.
> We create six different css files that define the
> same six color names differently, but each such
> css file assigns red to one and only
> one of those same six color names, and then store
> the six somewhere in the document_root.
>
>2) We make a dynamically generated GET page that mods a random number
>to
> between 1 and 6 and sets that number as session variable.
> That number will tell us in a later POST which of the six
> css files to use when we generate a dynamic POST page.
>
> We also randomly create 6 digits between 1 - 256 and concatenate
>them
> into a comma delimeted string. We set that string
> as a session variable.
>
>3) In the post we generate a page that specifies one
> of the six css files in its header, according the value
> of first session variable. Because we have that session
> variable, and because we know which of the six different
> css schemes we are now using, we know which css attribute
> in the current scheme means red. We don't care about the other
> colors.
>
>4) Now we generate 256 random digits (between 1 - 256) into an array.
> We loop through the array and concatenate a <b class="xx">$digit</b>
> onto a string. Foreachsuch <b> tag we randomly choose one of
> the css colors known not to red, except for the N array index digits
As I understand it, you're going to have a bunch of html like:
<b class="urk">5</b>
<b class="bog">6</b>
<b class="kub">3</b>
....
Exploit (although it does require some bot programming):
Spammer counts number of times urk, bog, kub, nom, val, and tov occur.
Whichever one appears 6 times, is the correct one. Use the corresponding
digits. If there's more than one, guess.
Actually, even a 1-in-6 guess on the colors with no counting isn't
bad for a spammer who's hammering your web server unless you've got
other traps like IP banning after so many bad tries.
Also, remember that the HTML tells the bot which css file is the
correct one, and it could fetch it and parse it.
[Back to original message]
|