[WEB SECURITY] Fake Captcha Protection

Rohit Lists rklists at gmail.com
Wed May 7 19:27:11 EDT 2008


If I understand your question correctly, you're asking what would stop
the attacking tool from enumerating all the possible combinations of
parameters - that's a good point, and I suppose it depends on how many
combinations are actually offered. On the other hand, it looks like
some tools (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/) seem to
be able to break captchas with many different parameters.

Your project seems like an interesting alternative. I'd definitely
like to see how the project turns out and how effective it is at
stopping OCR-based attacks.

Cheers,

Rohit



On Wed, May 7, 2008 at 12:52 PM, Stephan Wehner <stephanwehner at gmail.com> wrote:
> On Tue, May 6, 2008 at 9:52 PM, Rohit Lists <rklists at gmail.com> wrote:
>
>  >  If you were so inclined, you could change the parameters (and
>  >  therefore the style of the image) on a regular basis to force a cat
>  >  and mouse game for image analysis tools. This may not stop a
>
>  You mean the administrator changes the parameters ? On what basis
>  could that step not be automated in your scheme?
>
>  I recently put together a CAPTCHA using background photos, see
>  http://preview.stephansmap.org/sign_up
>  Here defining the placement of the CAPTCHA text is a manual step
>  (selecting suitable photos as well)
>
>  Stephan
>
>  --
>  Stephan Wehner
>
>  -> http://stephan.sugarmotor.org
>  -> http://www.thrackle.org
>  -> http://www.buckmaster.ca
>  -> http://www.trafficlife.com
>  -> http://stephansmap.org
>
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list