Some of the applications we test have a few pages that take in data without authenticating the user. These include 'subscription request forms', 'feedback forms' and 'contact support' forms. It's well-known that bots can create a nuisance by making repeated submissions on these simple forms.
Sometimes, it's more than just a nuisance.
An attacker could overwhelm the queue of support queries by flooding it with a large number of fake requests.
A 'subscription request form' that sends a verification email for each subscription request could be abused to send out a flood of verification mails to innocent ids, repeatedly.
In November, Andres showed how to use Captchas to protect against automated brute force attacks like these. Basically, a Captcha foils a bot by posing a question that humans can answer easily, but a software program fails at. An example is reading distorted random text.
Yesterday, a reader asked how one implements Captchas in practice. There are several solutions available, depending on the platform the application is written in.