CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-804: Guessable CAPTCHA

 
Guessable CAPTCHA
Weakness ID: 804 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

Extended Description

An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks.

There can be several different causes of a guessable CAPTCHA:

  • An audio or visual image that does not have sufficient distortion from the unobfuscated source image.

  • A question is generated that with a format that can be automatically recognized, such as a math question.

  • A question for which the number of possible answers is limited, such as birth years or favorite sports teams.

  • A general-knowledge or trivia question for which the answer can be accessed using a data base, such as country capitals or popular actors.

  • Other data associated with the CAPTCHA may provide hints about its contents, such as an image whose filename contains the word that is used in the CAPTCHA.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

Language-independent

Technology Classes

Web-Server: (Sometimes)

+ Common Consequences
ScopeEffect

Technical Impact: Bypass protection mechanism; Other

When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA.

+ Likelihood of Exploit

Medium to High

+ Weakness Ordinalities
OrdinalityDescription
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class287Improper Authentication
Development Concepts699
Research Concepts1000
ChildOfWeakness ClassWeakness Class330Use of Insufficiently Random Values
Development Concepts699
Research Concepts1000
ChildOfCategoryCategory8082010 Top 25 - Weaknesses On the Cusp
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)800
ChildOfWeakness ClassWeakness Class863Incorrect Authorization
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC21Insufficient Anti-Automation
+ References
Web Application Security Consortium. "Insufficient Anti-automation". <http://projects.webappsec.org/Insufficient+Anti-automation>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2010-01-15MITREInternal CWE Team
New entry to handle anti-automation as identified in WASC.
Modifications
Modification DateModifierOrganizationSource
2010-06-21MITREInternal
updated Common_Consequences
2011-06-01MITREInternal
updated Common_Consequences, Relationships
Page Last Updated: June 23, 2014