Ready-to-use Captcha implementations

By Paladion

September 24, 2005

Some of the applications we test have a few pages that take in data without authenticating the user. These include 'subscription request forms', 'feedback forms' and 'contact support' forms. It's well-known that bots can create a nuisance by making repeated submissions on these simple forms.

Sometimes, it's more than just a nuisance.

  • An attacker could overwhelm the queue of support queries by flooding it with a large number of fake requests.
  • A 'subscription request form' that sends a verification email for each subscription request could be abused to send out a flood of verification mails to innocent ids, repeatedly.

In November, Andres showed how to use Captchas to protect against automated brute force attacks like these. Basically, a Captcha foils a bot by posing a question that humans can answer easily, but a software program fails at. An example is reading distorted random text.

Yesterday, a reader asked how one implements Captchas in practice. There are several solutions available, depending on the platform the application is written in.

Lanap BotDetect is a commercial solution for ASP and ASP.Net developers. JCaptcha is a Java framework for implementing Captchas. Authen-captcha is a Perl implementation. The Image Image Verification tutorial shows how to write your own Captcha implementation using PHP.

Recently, there has been renewed interest in breaking captchas. PWNtcha has details of visual captchas they have broken.

Tags: Uncategorized