WebApp Sec mailing list archives

Re: CAPTCHA

From: Robin Wood <robin () digininja org>
Date: Wed, 26 Jan 2011 23:41:04 +0000

On 26 January 2011 07:23, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:

A question though. It should be possible to write a 'targeted bot'
which doesn't fill up those fields..rt? Or did I miss something?


Yes but if the author is going to go to the trouble of looking at your
form and working out which fields are hidden then they are going for a
targeted attack rather than a shotgun attack and if you are being
targeted then there are plenty of other ways they can spam you.

This isn't a perfect system but for small sites which aren't likely to
get targeted then it puts a layer of protection in place and avoids
putting users through a captcha when one isn't really needed.

Robin

Arvind


-----Original Message-----
From: Robin Wood
Sent: Monday, January 24, 2011 7:49 PM
To: Shang Tsung
Cc: webappsec () securityfocus com
Subject: Re: CAPTCHA


On 24 January 2011 15:11, Shang Tsung <shangtsung71 () gmail com> wrote:

We are planning to use a CAPTCHA in order to stop spam engines from
filling our Online Forms. From a quick research I made, I found there
are good and there are bad types of CAPTCHA.

Does anyone know if there are any standard and secure implementations
of CAPTCHA that we can use?

Any good articles on the subject?


I hate captchas, always have so I use a reverse captcha on sites that
I build. You add a field to the form with name and id of email. You
then give it a label that says "Please leave blank" and hide them both
with CSS. Most people won't see them because the CSS works, even if
they do see them they read the message and obey. Spam engines on the
other hand spot the email field and happily fill it in. You then
silently drop any contact forms with values in the email field.

Normal humans aren't affected and you trick most generic bots.

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

RE: CAPTCHA, (continued)
- RE: CAPTCHA Maxim Macovei (Jan 24)
- Re: CAPTCHA Marcel Grabher (sallas) (Jan 24)
  - RE: CAPTCHA Sacks, Cailan C (Jan 26)
- RE: CAPTCHA Steve Syfuhs (Jan 24)
  - RE: CAPTCHA Sacks, Cailan C (Jan 26)
    - Re: CAPTCHA Robin Wood (Jan 26)
    - RE: CAPTCHA Sacks, Cailan C (Jan 26)
  - Re: CAPTCHA Robin Wood (Jan 26)
  - RE: CAPTCHA Rod Divilbiss (Jan 26)
  - Re: CAPTCHA arvind doraiswamy (Jan 26)
    - Re: CAPTCHA Robin Wood (Jan 27)
    - The Root Cause of CAPTCHA (was Re: CAPTCHA) elbbit (Jan 29)
  - Re: CAPTCHA BlackHawk (Jan 26)