[WEB SECURITY] Fake Captcha Protection

Rohit Lists rklists at gmail.com
Thu May 8 13:15:50 EDT 2008


Actually PWNtcha (http://libcaca.zoy.org/wiki/PWNtcha) is now freely
available: svn co svn://svn.zoy.org/libcaca/pwntcha/trunk pwntcha



On Wed, May 7, 2008 at 9:20 PM, Stephan Wehner <stephanwehner at gmail.com> wrote:
> On Wed, May 7, 2008 at 4:27 PM, Rohit Lists <rklists at gmail.com> wrote:
>> If I understand your question correctly, you're asking what would stop
>>  the attacking tool from enumerating all the possible combinations of
>>  parameters - that's a good point, and I suppose it depends on how many
>>  combinations are actually offered. On the other hand, it looks like
>>  some tools (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/) seem to
>>  be able to break captchas with many different parameters.
>
> I meant to emphasize  ...enumerating lots of combinations of
> parameters .... __in your scheme?__
> In my experience it is easy to come up with some non-linear
> distortions, using lots of  parameters, but
> a combination of parameters which yield a still readable CAPTCHA is
> more difficult.
>
>>  Your project seems like an interesting alternative. I'd definitely
>>  like to see how the project turns out and how effective it is at
>>  stopping OCR-based attacks.
>
> Greg Mori (the gimpy link above) said about the
> http://preview.stephansmap.org/sign_up coffee-cup CAPTCHA, "It's a
> pretty good CAPTCHA". But I think it wouldn't last a year. There are
> more things you can do with photos, but first I should finish other
> details of that website (thanks all for signing up! :-)
>
> Those OCR-based attacks are sadly not publicly available (for good
> reasons), so I can't test it out.
>
> Another feature on the preview.stephansmap.org site, which I haven't
> seen elsewhere, is called "three-for-one-captcha". After solving one
> CAPTCHA the next two are filled out already. (The idea is, if someone
> pays for CAPTCHA solving/has an automatic solver, three-for-one or
> conventional "one-for-one" will not make any difference, while it
> saves effort for the honest human website visitor.)
>
> If anyone knows a CAPTCHA mailing list, please let me know.
>
> Stephan
>
>
> --
> Stephan Wehner
>
> -> http://stephan.sugarmotor.org
> -> http://www.thrackle.org
> -> http://www.buckmaster.ca
> -> http://www.trafficlife.com
> -> http://stephansmap.org
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list