@ a.m.
I have enabled enabled reCaptcha, then also fake customers are registering
Fake customers registering to the website.....!!!
- 285
- 2710
- 7/2/2012
- India
a.m. wrote:
see these articles. hackers are more clever to cheat CAPTCHA.
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
http://gizmodo.com/5914674/how-hackers-nearly-took-down-googles-recaptcha-system
if you watch few attempts of CAPTCHA request using fiddler, the same CAPTCHA image path is repeat again. so its easy to hack.
even in CaptchaValidatorAttribute.cs
var captchaChallengeValue = filterContext.HttpContext.Request.Form[CHALLENGE_FIELD_KEY];
var captchaResponseValue = filterContext.HttpContext.Request.Form[RESPONSE_FIELD_KEY];
both keys are taken from the request form. they can modified at the client side easily.
http://www.elaamart.com
CAPTCHA is only send captchavalid as true or false to the server. so the user hack it very easily.
I don't think it's possible. Have a look at \Presentation\Nop.Web.Framework\UI\Captcha\CaptchaValidatorAttribute.cs file. It makes all required validation to reCAPTCHA site to validate entered picture value
I don't think it's possible. Have a look at \Presentation\Nop.Web.Framework\UI\Captcha\CaptchaValidatorAttribute.cs file. It makes all required validation to reCAPTCHA site to validate entered picture value
see these articles. hackers are more clever to cheat CAPTCHA.
http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/
http://gizmodo.com/5914674/how-hackers-nearly-took-down-googles-recaptcha-system
if you watch few attempts of CAPTCHA request using fiddler, the same CAPTCHA image path is repeat again. so its easy to hack.
even in CaptchaValidatorAttribute.cs
var captchaChallengeValue = filterContext.HttpContext.Request.Form[CHALLENGE_FIELD_KEY];
var captchaResponseValue = filterContext.HttpContext.Request.Form[RESPONSE_FIELD_KEY];
both keys are taken from the request form. they can modified at the client side easily.
http://www.elaamart.com
- 6
- 30
- 11/12/2012
- Italy
Capcha is active.
Is active for customer registration, for forum, for news, for blog, not for login.
I tried to write a procedure that blocks the compilation if a user enters the number 123456 in the field of phone number and google in field company but without success.
It is used a bot that bypasses all control procedures including captcha.
my procedure in register.cshtml :
<script type="text/javascript">
$(function () {
$("#@Html.FieldIdFor(model => model.Phone)").change(function () {
var telefono = $(this).val();
if (telefono=='123456') {
window.location = "http://www.poliziadistato.it/";
}
});
});
</script>
<script type="text/javascript">
$(function () {
$("#@Html.FieldIdFor(model => model.Company)").change(function () {
var telefono = $(this).val();
if (telefono == 'google') {
window.location = "http://www.poliziadistato.it/";
}
});
});
</script>
Is active for customer registration, for forum, for news, for blog, not for login.
I tried to write a procedure that blocks the compilation if a user enters the number 123456 in the field of phone number and google in field company but without success.
It is used a bot that bypasses all control procedures including captcha.
my procedure in register.cshtml :
<script type="text/javascript">
$(function () {
$("#@Html.FieldIdFor(model => model.Phone)").change(function () {
var telefono = $(this).val();
if (telefono=='123456') {
window.location = "http://www.poliziadistato.it/";
}
});
});
</script>
<script type="text/javascript">
$(function () {
$("#@Html.FieldIdFor(model => model.Company)").change(function () {
var telefono = $(this).val();
if (telefono == 'google') {
window.location = "http://www.poliziadistato.it/";
}
});
});
</script>
- 285
- 2710
- 7/2/2012
- India
FYI..
they are not using your registration form to register a user in your webstore. so this kind of client side stuff wont work.
their form contains..
1) necessary post action validation scripts.
2) minimum required registration parameters.
3) necessary fields and value that make the captchvalid attribute to true.
4) and generated ipaddress in the request header.
5) and extra stuff needed.
http://www.elaamart.com
they are not using your registration form to register a user in your webstore. so this kind of client side stuff wont work.
their form contains..
1) necessary post action validation scripts.
2) minimum required registration parameters.
3) necessary fields and value that make the captchvalid attribute to true.
4) and generated ipaddress in the request header.
5) and extra stuff needed.
http://www.elaamart.com
- 6
- 30
- 11/12/2012
- Italy
I'm glad you responded.
I am disabled and I'm sick.
For the most part I do not know C and even C # I only know a little java.
Apart from that everything is the day that does not happen so I hope the problem does not start again.
In case it is not that you can do me the change of nopCommerce 2.5?
I can not even do the upgrade, I always get too many error.
I am disabled and I'm sick.
For the most part I do not know C and even C # I only know a little java.
Apart from that everything is the day that does not happen so I hope the problem does not start again.
In case it is not that you can do me the change of nopCommerce 2.5?
I can not even do the upgrade, I always get too many error.
- 285
- 2710
- 7/2/2012
- India
potyno wrote:
my code is common for mvc framework. so it wont make much difference in other versions. you need to find out the right place thats it.
i think the hacker's intension is to write some post in our blog and forum. they wrote 2 post in my website's forum.
http://www.elaamart.com
I'm glad you responded.
I am disabled and I'm sick.
For the most part I do not know C and even C # I only know a little java.
Apart from that everything is the day that does not happen so I hope the problem does not start again.
In case it is not that you can do me the change of nopCommerce 2.5?
I can not even do the upgrade, I always get too many error.
I am disabled and I'm sick.
For the most part I do not know C and even C # I only know a little java.
Apart from that everything is the day that does not happen so I hope the problem does not start again.
In case it is not that you can do me the change of nopCommerce 2.5?
I can not even do the upgrade, I always get too many error.
my code is common for mvc framework. so it wont make much difference in other versions. you need to find out the right place thats it.
i think the hacker's intension is to write some post in our blog and forum. they wrote 2 post in my website's forum.
http://www.elaamart.com
- 150
- 1253
- 4/4/2011
- United States
I'm going to test it out and report back.
BTW, it may be different versions of Visual Studio, but I slightly changed the code to:
string[] keys = Session["mydefender"].ToString().Split(new char[] { ':' });
Session.Remove("mydefender");
if(keys.Count() == 2)
{
if(keys[0]==model.mydefender)
{
var delay=DateTime.Now.Ticks-Convert.ToInt64(keys[1]);
if(delay>=MinRequiredFormEntryTime && delay<=MaxRequiredFormEntryTime)
flag=true;
}
}
BTW, it may be different versions of Visual Studio, but I slightly changed the code to:
string[] keys = Session["mydefender"].ToString().Split(new char[] { ':' });
Session.Remove("mydefender");
if(keys.Count() == 2)
{
if(keys[0]==model.mydefender)
{
var delay=DateTime.Now.Ticks-Convert.ToInt64(keys[1]);
if(delay>=MinRequiredFormEntryTime && delay<=MaxRequiredFormEntryTime)
flag=true;
}
}
- 150
- 1253
- 4/4/2011
- United States
I'm rolling back to the way it was without your code for now. The registration process was bombing out for whatever reason. I'm going to give the reCaptcha a shot for a week or so an see how that goes first.
Anyone know why someone would want to register and stay on especially when they can't do anything? Are they using it to correspond with other people?
Anyone know why someone would want to register and stay on especially when they can't do anything? Are they using it to correspond with other people?