WebApp Sec mailing list archives
RE: [WEB SECURITY] Defeating CAPTCHA
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Thu, 25 Aug 2005 17:26:55 +0200 (CEST)
On Thu, 25 Aug 2005 focus () karsites net wrote:
I suppose if the user had to select each letter and/or numeric digit from a captcha seperately, and enter these using a randomly generated input sequence by the server, that would block any programs from reading the CAPTCHA and feeding it directly to the form input field.
Yeah, requiring them to enter characters separately into a number of boxes (possibly after reading the page to determine the requested order). Not any more difficult to accomplish, and won't stop anyone (Captcha attacks must be customized anyway, so this is just a minor annoyance). You could of course make the sequence hard to decipher for a machine... using a captcha. Yeah. There's really no good solution. Captchas work (for now) to deter common trolls and abusers - you are usually not that much obsessed about a particular forum or website to write and test a complext piece of image analysis software. They may of sudden stop working, the day somebody determined to code something like that for fun, fame, or profits, sells or contributes one of easy-to-use captcha busters to the public. The thing is, captchas don't measure a quality that is unique to humans. Image processing, filtering and picture recognition is something computers can do well, often better than humans, and no amout of text obfuscation is going to help. You will end up with captchas you can't solve, but computers can. We could use something other than text challenges (say, determination of mood of a photographed person) - but the thing is, individual, reliably predictable, everyday data processing capabilities of our brains are in general rather easy to simulate, especially with the accuracy needed for this task (1% success ratio is enough). It just takes some coding and tests. Things computers suck at (higher cognitive functions, so to speak) are usually hard to define and examine to start with, and work in a different way for different people; plus, many of us would naturally fail quite often. /mz
Current thread:
- Defeating CAPTCHA robert (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)