[WEB SECURITY] Fake Captcha Protection

Bil Corry bil at corry.biz
Thu May 8 15:31:14 EDT 2008


Stephan Wehner wrote on 5/7/2008 11:52 AM: 
> I recently put together a CAPTCHA using background photos, see
> http://preview.stephansmap.org/sign_up
> Here defining the placement of the CAPTCHA text is a manual step
> (selecting suitable photos as well)

For attacks that are manually configured against your solution, the issue is there would be a finite amount of images; and within each image there would be a single area for text placement.  It wouldn't be too hard to detect which image is being used and have the attack crop the area that contains the text and work just on it.

For example, in the case of your coffee cup example, since the text color doesn't vary and the area the text is positioned doesn't vary, one could do this using Imagemagick:

	convert test.jpg -crop 155x50+75+105 ( +clone -matte -fuzz 10% -transparent "#505050" -fill white -colorize 100% ) -composite test1.jpg

To illustrate, when challenged with this:

	<http://corry.biz/tmp/test.jpg>

It becomes this, which can then be feed into OCR software:

	<http://corry.biz/tmp/test1.jpg>


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list