Question about Captcha and Cookies

[chrisandoryan]

Hi
First of all, i really want to say that i am incredibly amazed with your work.
My name is Chrisando Ryan, B20, student of Cyber Security. Right now i'm working on sort of small project researching cookies and captcha.

After reading issue flows (especially your discussion with mstephen77 about binusmaya login change) here, i became more curious about how Binusmaya captcha works. At first place i thought Binusmaya is implementing google's invisible reCaptcha, but after following this repository, now i think it has a different, programmed mechanism. Based on login change summary from mstephen77, i then try to implement python based script to log in to Binusmaya to understand more about how its captcha and cookies work. I think i had successfully fetch all the parameter correctly, yet the result is still 'invalid captcha!'. Is there something i miss from the explanation? Have i taken incorrect concept?

A lot of thanks before, and wishing you a best luck for your thesis!

[mstephen77]

Hi, @chrisandoryan.
To clarify, they don't use any captcha for login, unless you have failed to login for 5 times.
Also as I've checked just now, there shouldn't be any changes to how login work since #16 so that way of logging in should work properly, given correct request payload you sent to sys_login.php. If you're still experiencing ?error=4, try changing/removing the cookie before making a new request to remove the server-side captcha validation. For ?error=1, ?error=2, and ?error=3, just make sure you're passing the correct input's name.

[chrsep]

Hi, Thanks @chrisandoryan, i really appreciate you saying that 😁

Just like @mstephen77 said, as far as i know, Binusmaya currently only uses Google's normal reCaptcha, and it only shows up after multiple failed login attempts using the same cookie. So unless you tries to login multiple times with the same cookie, it shouldn't be a problem.

Also, sending an incorrect request payload to sys_login.php would also gives you the invalid captcha error message. So check that you are extracting the correct strings from loader.php.

You can see Portal's login implementation here.

[chrisandoryan]

Hi! Thanks both of you. I lately discovered that the problem is on my script itself, @chrsep hint them. Another question in mind, do you have any idea for a reasonable reason why did Binusmaya stop using that image captcha for verification? Is it because they're implementing normal reCaptcha? Last time i checked, the page captcha.php is still there, but for some reason they stopped using it. Also, does Portal interact more with block_user.php page or it just to determine whether the login is successful?

[mstephen77]

You're welcome, @chrisandoryan.
I don't really know the details, but they probably removed the captcha.php probably because it has a lot of bugs and they have already implemented reCaptcha.
Meanwhile, block_user.php does not do anything than blocking. It's not how Binusmaya checks whether the login is successful or not. It simply blocks user logging in to Binusmaya when there's, for example, Lecturer Questionnaire.

[chrsep]

@chrisandoryan Portal does not call block_user.php, i didn't even know what that was for 🤣. But i do know that if the login is successful, users are redirected there, so I just use it to determine if the login is successful.