(Reported by: Abhishek Barve and Vishal Karande [Mtech-Infromation Security, NITK])

Captcha is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade.

Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human

The Flaw

www.irctc.co.in is the flagship website run by Indian Railways for online ticket reservations. The website uses a Captcha mechanism for new account registrations and ticket bookings. The employed Captcha implementation has a flaw which enables automatic (non-human) bots to register/book without going through the mechanism.

The Captcha mechanism employed works as follows.

1. When the registration/booking page loads, a JavaScript generates a random integer which is sent to the server.

2. Based on this received integer the server replies with a link to a Captcha image.

3. The browser then retrieves this image and displays it to the user.

4. When the user submits the form the following information is sent back to the server.

a. Captcha link sent by the server in step 3

b. The Captcha-value entered by the user.

5. Then server validates the Captcha value entered by user against the corresponding value of Captcha link received in step 4

Apparently no state information (related to Captcha) is maintained at the server during the above steps. Hence one validated ‘Captcha value’ can be replayed at step 4. The server validation just checks the sent Captcha value to correspond to the Captcha link.

We have further noted that the link does not expire even after hours and can be replayed persistently. This defeats the purpose of employing the Captcha mechanism.

Technical Details

After loading Page 1(https://www.irctc.co.in/cgi-bin/bv60.dll/irctc/services/register.do?click=true), a random number is sent to the server.

The number is POSTed to: https://www.irctc.co.in/cgibin/bv60.dll/irctc/reCaptcha/articleVerifyResp.jsp?ax=1284734077987

With Data:
In reply to the above request based on the data ax, the server sends back a link to the Captcha image

../reCaptcha/articleGenImg.jsp?imageText=79X61X67X7aX67X70X62X47X33X4eX49X3dX#79X61X67X7aX67X70X62X47X33X4eX49X3dX

The browser then loads the image located at the above URL.

When user submits the URL:

https://www.irctc.co.in/cgibin/bv60.dll/irctc/services/register.do?BV_SessionID=@@@@XXXXXXXXXX.XXXXXXXXXX@@@@&BV_EngineID=cccXXXXXXXXXXXXXXXXX.0

With Data:

The data contains both the Captcha image path and value which are validated against each other by the server. Thus any request from a user containing a valid pair of image path and value can be replayed.

Possible exploits

The data contains both the Captcha image path and value which are validated against each other by the server. Thus any request from a user containing a valid pair of image path and value can be replayed.
1. A Dos attack on the registration page or fraudulent registrations using a script.
2. A Dos attack on the booking page or a bot based ticket bookings using scripts for automatic login.

The Indian Railways has been informed about this flaw and based on our Reporting, the flaw has been corrected recently.

 

 

3 Responses to Irctc Captcha Flaw (OLD)

  1. ketan says:

    if u want to see an interesting and practical application of Point No 2 that you have stated…come here at nagpur…i do not know if this happens nationally too but u can not book a ticket of tatkal quota from the internet here at nagpur…..

  2. Dan says:

    IRCTC corrected the same.:)

  3. Dan says:

    I could not able to find the same.Can u check it.If it is corrected then u can mark the document as old.. :)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <p>



This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 47921 items have been purified.