WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CAPTCHA

From: "Sacks, Cailan C" <Cailan.Sacks () standardbank co za>
Date: Tue, 25 Jan 2011 09:22:29 +0200
Stupid idea. A spammer sees funky implementations of web forms every day, and they patch their bots accordingly. There 
is no security in obfuscation, just buys you time until someone beats you over the head. Google captcha. They do the 
work and you reap the benifit. Can't get easier.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steve Syfuhs
Sent: Tuesday, January 25, 2011 3:05 AM
To: Robin Wood; Shang Tsung
Cc: webappsec () securityfocus com
Subject: RE: CAPTCHA

This is a brilliant idea.  Did you come up with it?  If not, got any resources?

Sent from my Windows Phone

-----Original Message-----
From: Robin Wood
Sent: Monday, January 24, 2011 7:49 PM
To: Shang Tsung
Cc: webappsec () securityfocus com
Subject: Re: CAPTCHA


On 24 January 2011 15:11, Shang Tsung <shangtsung71 () gmail com> wrote:

We are planning to use a CAPTCHA in order to stop spam engines from
filling our Online Forms. From a quick research I made, I found there
are good and there are bad types of CAPTCHA.

Does anyone know if there are any standard and secure implementations
of CAPTCHA that we can use?

Any good articles on the subject?


I hate captchas, always have so I use a reverse captcha on sites that
I build. You add a field to the form with name and id of email. You
then give it a label that says "Please leave blank" and hide them both
with CSS. Most people won't see them because the CSS works, even if
they do see them they read the message and obey. Spam engines on the
other hand spot the email field and happily fill it in. You then
silently drop any contact forms with values in the email field.

Normal humans aren't affected and you trick most generic bots.

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Standard Bank email disclaimer and confidentiality note
Please go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and 
confidentiality note. Kindly email disclaimer () standardbank co za (no content or subject line necessary) if you 
cannot view that page and we will email our email disclaimer and confidentiality note to you.



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: