Ready-to-use Captcha implementations

Paladion
By Paladion

September 24, 2005

Some of the applications we test have a few pages that take in data without authenticating the user. These include 'subscription request forms', 'feedback forms' and 'contact support' forms. It's well-known that bots can create a nuisance by making repeated submissions on these simple forms.

Sometimes, it's more than just a nuisance.

  • An attacker could overwhelm the queue of support queries by flooding it with a large number of fake requests.
  • A 'subscription request form' that sends a verification email for each subscription request could be abused to send out a flood of verification mails to innocent ids, repeatedly.

In November, Andres showed how to use Captchas to protect against automated brute force attacks like these. Basically, a Captcha foils a bot by posing a question that humans can answer easily, but a software program fails at. An example is reading distorted random text.

Yesterday, a reader asked how one implements Captchas in practice. There are several solutions available, depending on the platform the application is written in.

Lanap BotDetect is a commercial solution for ASP and ASP.Net developers. JCaptcha is a Java framework for implementing Captchas. Authen-captcha is a Perl implementation. The Image Image Verification tutorial shows how to write your own Captcha implementation using PHP.

Recently, there has been renewed interest in breaking captchas. PWNtcha has details of visual captchas they have broken.


Tags: Uncategorized

About

Paladion

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset