Bloggin’ West Again

Maybe some of you know the pretty funny Wordpress Challenge Plugin which I also use to protect my blog.

A reader of mine, ma, brought me to the idea to figure out how difficult it would be to break the vanilla plugin the brute force way. As vanilla I consider the standard challenge a * b + c = ? , brute force means without considering the challenge itself (which could easily be parsed and interpreted by a mathematical library), but rather submiting some fixed (or random) value.

Mathematics

In default mode, the values for a, b and c only range from 0 to 10, which gives a total of 11*11*11 = 1331 (I knew this plugin was leet) different challenges combinations, but only resulting in 111 sensible responses. All of them have a certain probability, which is depicted here :

Maybe the exact numbers are a bit hard to see, but I can tell you the peak is at the number 10, with a probability of 0.0361. So if you’d be attacking vanilla targets, this was your choice.

To see how many “attacks” you had to do, look at this figure :

Starting from 19 attacks, you’d have a chance of more than one half (.50) to file at least one successful post, using 82 tries, your chance would even larger than .95.

Conclusion

So is it a problem ? Not really. You can simply trick this attack by slightly changing the challenge, modifying the range of valid responses and so on. Also mathematical parser libraries could be tricked easily by substituting certain operations just by their names, rather than their symbols.

Regarding myself, I don’t see any necessity to act, at least not right now. Even if I should get spammed, cleanup is just a SQL statement away.

However, one funny thing related to the standard challenge is you could slightly improve the security of if, by reducing the range of a, b, c : If you excluded 0 and made it only range from 1 to 10, the probability of the best answer (13 in that case) would only be .028, resulting only in a .90 probability of being hit at least once after 82 tries.