Pray

To you:

Everything will be better.

Ben (@imbushuo)

6.23.14

DON’T verify CAPTCHA by JavaScript

昨天中考成绩出来了。早在模拟填报志愿的时候,我们很多同学就已经发现了验证码很难完全显示。那时然后我淡定地打开Chrome的Dev Tools,查看DOM发现了一些神奇的东西。(回家是IE11)

Screenshot (171)

So, you MEAN this is CAPTCHA? WTF….

Therefore, I can EASILY parse the document, submit form, and get all the informaton I want.

Screenshot (178)

然后继续看流量。发现整个过程是明文的, including password.

Screenshot (172)

What’s more, the verification process is completed in the client side…(later I found that I could bypass the CAPTCHA by sending the HTTP request directly.)

Screenshot (174)

By using JSESSIONID, I can acquire the result(a webpage).

Then parse it, and get the final result.

Later that night(~10:20 6.21.14), I started writing the program(using C#).

Then I have a result sheet.

CONCLUSIONS

在客户端校验验证码是非常非常非常危险的(这句话很重要所以说三遍),而且Script不做混淆,业务逻辑直接暴露在客户端更加危险。

第二,Unit Testing不认真做,不是所有代码路径都得到了测试,后果很难预料。(我猜这是Behavior-Driven Development instead of Test-Driven Development

第三,都2014年了你还是XP样式还不支持IE11你好意思吗。。。。

Screenshot (180)