References

Telling Humans Apart (Automatically)

http://www.captcha.net/

 Ravaged by Robots! , By Randal L. Schwartz

http://www.webtechniques.com/archives/2001/12/perl/

 .Net Components Make Visual Verification Easier , By JingDong

(Jordan) Zhang

http://go.cadwire.net/?3870,3,1

 Vorras Antibot 

http://www.vorras.com/products/antibot/

 Inaccessibility of Visually Oriented Anti Robot Tests 

http://www.w3.org/TR/2003/WD turingtest 20031105/

6.4  Insufficient Process Validation

Insufficient Process Validation is when a web site permits an attacker

to bypass or circumvent the intended flow control of an application. If

the user state through a process is not verified and enforced, the web

site could be vulnerable to exploitation or fraud.

When a user performs a certain web site function, the application

may expect the user to navigate through a specific order sequence.

If the user performs certain steps incorrectly or out of order, a data

integrity error occurs. Examples of multi step processes include wire

transfer, password recovery, purchase checkout, account signup, etc.

These processes will likely require certain steps to be performed as

expected.

For multi step processes to function properly, web sites are required

to maintain user state as the user traverses the process flow. Web

60

Copyright 2004, Web Application Security Consortium. All rights reserved.