|Is CAPTCHA secure?|
| 9:42 am on May 3, 2012 (gmt 0)|
Nearly all websites use CAPTCHA images to protect their forms from spam. But is this the most secure way? As far as i understand, the idea of CAPTCHA is to challenge the user with an image containing some "hard-to-recognize" text so that if the visitor is a human being (not a bot) he/she will be able to post data but not machines. The website sends the CAPTCHA code (image) and a session cookie containing perhaps a hashed version of the CAPTCHA image (the correct answer but hashed). The user submits the form and the server has to make sure that the hash of the letters he/she typed = the hash contained in the session cookie. Fine, what if i (the spammer) wrote a piece of software that mimics that same request and sends it to the server? in other words, if the CAPTCHA is abc123 and the hash (in the session variable which can be read with any HTTP sniffer) is xyz345 (consider this a 32 character string) and i sent this data to the server in a post request? Then i start to be more creative, i put this code in a 10,000 loop that will overwhelm the server with spam data! Now is CAPTCHA that secure? are their any options by which i can face such a threat? Thanks
| 10:33 am on May 3, 2012 (gmt 0)|
If you have yet to have your captcha overrun by spammers I wouldn't worry about it too much. More than likely you would encounter a simple blow-thru technique where humans on different sites are tricked to answer the captcha for the bots, and the results are passed through.
| 10:38 am on May 3, 2012 (gmt 0)|
I use a simple question and answer system on about 20 websites, which so far is also 100%.
| 10:59 am on May 3, 2012 (gmt 0)|
Ok I just want somebody to tell me how the following scenario was possible (because i did it using C# and i was able to bypass the CAPTCHA challenge of a website):
The C# bot created a request that is 100% similar to a legitimate HTTP request done by a human (which is me) and captured by an HTTP sniffer.
This request could be a result of a question / answer, an image or whatever.
| 4:20 pm on May 3, 2012 (gmt 0)|
Anything could be done by a bot, but that assumes your site alone is worth their time to mess with. There's a few tricks to the anti-spam stuff I do, it's deceptively simple but has kept the crud off my sites for years now.
I have one high value target and I sat one night watching someone from a Romanian IP address feverishly hack at my anti-spam stuff for a couple of hours and he found one loophole which I quickly closed and never had an issue with them ever since ;)
BTW, anti-spam when done right isn't a single solution but a series of checks.
For instance, is the spammer using GET or POST to submit? Many still try to use GET and simply requiring a POST will jam them up for a while.
Does the spammer accept your cookies? Assuming an actual visitor came to your site and received the page in their browser they would also receive a cookie. If someone tries to POST the form without the cookie it gets rejected.
Does the spammer send a referrer? Assuming an actual visitor came to your site and submits the form from your site, it should have the referring page along with the POST and the COOKIE.
Additionally, check the user agent doing the submit. If it doesn't start with Mozilla, Opera or some cell phone user agents kick 'em out.
See how you can easily build up a few simple rules and requirements that harden the form?
Obviously a real hard core determined spammer could emulate a lot of this but then it slows his efforts down, decreases the amount of spam he can send, and takes more time to figure out what your site requires.
Just to make life harder, I randomize some of the stuff above such as field names, page names, etc.
Best part is it'll easily bounce the lame spammers.