WebApp Sec mailing list archives
RE: [WEB SECURITY] Defeating CAPTCHA
From: "Brecrost Jones" <brecrost () hotmail com>
Date: Thu, 25 Aug 2005 09:06:44 -0600
I suppose if the user had to select each letter and/or numeric digit from a captcha seperately, and enter these using a randomly generated input sequence by the server, that would block any programs from reading the CAPTCHA and feeding it directly to the form input field.
Eg. CAPTCHA: ZXCVBNM Please enter the above CAPTCHA in the following sequence: 3rd letter: [ C ] 6th letter: [ N ] 5th letter: [ B ] 2nd letter: [ X ] 7th letter: [ M ] 4th letter: [ V ] 1st letter: [ Z ]
What's to stop the program from reading the labels on the form fields to determine the order to enter the characters in? The labels can't be images, or we'll just OCR them too!
Or am I missing something?
Current thread:
- RE: [WEB SECURITY] Defeating CAPTCHA Brecrost Jones (Aug 25)
- <Possible follow-ups>
- RE: [WEB SECURITY] Defeating CAPTCHA Glenn.Everhart (Aug 25)