Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Is CAPTCHA secure?

Hardening CAPTCHA



9:42 am on May 3, 2012 (gmt 0)

5+ Year Member

Nearly all websites use CAPTCHA images to protect their forms from spam. But is this the most secure way? As far as i understand, the idea of CAPTCHA is to challenge the user with an image containing some "hard-to-recognize" text so that if the visitor is a human being (not a bot) he/she will be able to post data but not machines. The website sends the CAPTCHA code (image) and a session cookie containing perhaps a hashed version of the CAPTCHA image (the correct answer but hashed). The user submits the form and the server has to make sure that the hash of the letters he/she typed = the hash contained in the session cookie. Fine, what if i (the spammer) wrote a piece of software that mimics that same request and sends it to the server? in other words, if the CAPTCHA is abc123 and the hash (in the session variable which can be read with any HTTP sniffer) is xyz345 (consider this a 32 character string) and i sent this data to the server in a post request? Then i start to be more creative, i put this code in a 10,000 loop that will overwhelm the server with spam data! Now is CAPTCHA that secure? are their any options by which i can face such a threat? Thanks


10:33 am on May 3, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

If you have yet to have your captcha overrun by spammers I wouldn't worry about it too much. More than likely you would encounter a simple blow-thru technique where humans on different sites are tricked to answer the captcha for the bots, and the results are passed through.

I use a simple captcha which is javascript that simply tells the server whether someone is at the keyboard typing and clicking buttons which, to date, has been 100% but probably wouldn't last long if it became widely adopted.


10:38 am on May 3, 2012 (gmt 0)

WebmasterWorld Senior Member beedeedubbleu is a WebmasterWorld Top Contributor of All Time 10+ Year Member

I use a simple question and answer system on about 20 websites, which so far is also 100%.


10:59 am on May 3, 2012 (gmt 0)

5+ Year Member

Ok I just want somebody to tell me how the following scenario was possible (because i did it using C# and i was able to bypass the CAPTCHA challenge of a website):
The C# bot created a request that is 100% similar to a legitimate HTTP request done by a human (which is me) and captured by an HTTP sniffer.
This request could be a result of a question / answer, an image or whatever.
I liked incrediBILL way of using javascript to tell the server that somebody is typing. But couldn't this be cloned over and over by a bot? just inquiring.


4:20 pm on May 3, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

Anything could be done by a bot, but that assumes your site alone is worth their time to mess with. There's a few tricks to the anti-spam stuff I do, it's deceptively simple but has kept the crud off my sites for years now.

I have one high value target and I sat one night watching someone from a Romanian IP address feverishly hack at my anti-spam stuff for a couple of hours and he found one loophole which I quickly closed and never had an issue with them ever since ;)

BTW, anti-spam when done right isn't a single solution but a series of checks.

For instance, is the spammer using GET or POST to submit? Many still try to use GET and simply requiring a POST will jam them up for a while.

Does the spammer accept your cookies? Assuming an actual visitor came to your site and received the page in their browser they would also receive a cookie. If someone tries to POST the form without the cookie it gets rejected.

Does the spammer send a referrer? Assuming an actual visitor came to your site and submits the form from your site, it should have the referring page along with the POST and the COOKIE.

Then add some javascript to record whether there is any keyboard or mouse activity and send it to the server. Now you require a POST, a COOKIE, a REFERRER and a KEYPRESS or MOUSEMOVE to complete the submit, so on and so forth.

Put the javascript in a file that needs to be loaded separately from the server as many bots don't load secondary files. Using PHP handlers it's trivial to detect that the javascript file (and CSS file) was loaded as another 'tell' that it's actually a browser and you can track that in the session.

Additionally, check the user agent doing the submit. If it doesn't start with Mozilla, Opera or some cell phone user agents kick 'em out.

See how you can easily build up a few simple rules and requirements that harden the form?

Obviously a real hard core determined spammer could emulate a lot of this but then it slows his efforts down, decreases the amount of spam he can send, and takes more time to figure out what your site requires.

Just to make life harder, I randomize some of the stuff above such as field names, page names, etc.

Best part is it'll easily bounce the lame spammers.

Featured Threads

Hot Threads This Week

Hot Threads This Month