CWE-804 可猜测的验证码
Guessable CAPTCHA
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
扩展描述
An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks.
There can be several different causes of a guessable CAPTCHA:
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 699 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 699
-
cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 330 cwe_View_ID: 699
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
Technology: {'cwe_Name': 'Web Server', 'cwe_Prevalence': 'Sometimes'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Access Control', 'Other'] | ['Bypass Protection Mechanism', 'Other'] | When authorization, authentication, or another protection mechanism relies on CAPTCHA entities to ensure that only human actors can access certain functionality, then an automated attacker such as a bot may access the restricted functionality by guessing the CAPTCHA. |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| WASC | 21 | Insufficient Anti-Automation |