WebApp Sec mailing list archives

RE: [WEB SECURITY] Defeating CAPTCHA

From: focus () karsites net
Date: Thu, 25 Aug 2005 15:30:06 +0100 (BST)

Hi all!

I suppose if the user had to select each letter and/or numeric digit
from a captcha seperately,  and enter these using a randomly generated
input sequence by the server, that would block any programs from reading
the CAPTCHA and feeding it directly to the form input field.

After several failed attempts the server could generate another CAPTCHA,
and make the user (or robot) start over again.

Eg. CAPTCHA: ZXCVBNM

Please enter the above CAPTCHA in the following sequence:

3rd letter: [ C ]
6th letter: [ N ]
5th letter: [ B ]
2nd letter: [ X ]
7th letter: [ M ]
4th letter: [ V ]
1st letter: [ Z ]

Or via several drop down selection boxes, one for each CAPTCHA character.

HTH - KR

There already exists few interesting projects around on circumventing
CAPTCHA ( http://www.captcha.net/ ). There are various alogorithms being
written to defeat simplests to the complex CAPTCHAs but only few CAPTCHAs
have survived such tests. 

A project devoted to breaking CAPTCHA systems can be found here:
http://sam.zoy.org/projects/pwntcha/

Current thread:

Defeating CAPTCHA robert (Aug 25)
- RE: [WEB SECURITY] Defeating CAPTCHA Debasis Mohanty (Aug 25)
  - RE: [WEB SECURITY] Defeating CAPTCHA focus (Aug 25)
    - RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
  - Re: Defeating CAPTCHA Mark Burnett (Aug 25)
    - Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
    - Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
    - Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
  - Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
    - RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
    - Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- Re: Defeating CAPTCHA Subs (Aug 26)

(Thread continues...)