cfsilence: Most Difficult Captcha Of All Time

Most Difficult Captcha Of All Time

Posted By : todd sharp Posted At : July 26, 2007 8:28 AM Posted In: ColdFusion

17

I was working with the new cfimage tag last night to help me create some simple CAPTCHAs for my new site. The docs have a pretty good example, but for some reason I was having issues getting the darn thing working. It kept throwing errors about the image not being wide enough. The docs explain it like this:

For the CAPTCHA image to display, the width value must be greater than: fontSize times the number of characters specified in text times 1.08.

So I kept increasing the size of my image and reducing the font until I finally got the darn thing to render. Here's what it looked like:

captcha

I very quickly realized what the problem was. To generate the text for the CAPTCHA I was creating a random string. To validate the captcha you need to hash that string and plug the hashed value into a hidden form field. Then when the form is submitted you compare the hashed string with the hashed user input - validating if they match. Apparently I had mistakenly plugged the hashed string into the cfimage tag leading to the nearly impossible CAPTCHA.

4160 Views Send Print Comments (17)

Comments (17)

Subscribe to Comments Add Comment

This one here is on a similar difficulty scale, for a different reason (refresh it a few times):

http://random.irb.hr/signup.php

Posted by: duncan on: 7/26/07 10:00 AM

Sadly it's an image too. I'd venture to guess that even spam bots couldn't figure half of those out :)

Posted by: todd sharp on: 7/26/07 10:07 AM

Hi,
I didn't think you wanted to 'store' the hashed value inside the form. In effect this would allow somebody to visually work out the value, and then build their own form.

We had this problem with a number of spam bots. Once a human matched hash to value, they could submit as many times as they like. Of

Adam

Posted by: Adam on: 7/26/07 10:45 AM

Hey Todd,

Why not just store you captcha in session scope, its pretty secure.

By storing it in a hidden form field you "expose" your captcha for all to see. Ok so its hashed but....

a few weeks a go I wrote a blog entry on the cf8 captcha.
http://www.garyrgilbert.com/blog/index.cfm/2007/7/...

Posted by: Gary Gilbert on: 7/26/07 10:49 AM

One drawback to sessions though is that if you sit on a comment for a while before posting, your session will timeout.

I think hashes are more than enough secure. You can break them with hash dictionaries, but that kind of attack would be pretty slow on a blog (afaik).

Posted by: Raymond Camden on: 7/26/07 10:54 AM

The issue is does the hash value compared with the user input dictate success? If yes, then this is very simple for a spam bot to overcome as they only have to 'store' the form once.

You can use session, you can even have a submission marker held in the application scope, that is used up once a successful submit it retrieved.

TBH keeping the hash inside the form is a no-no in my books.

Posted by: Adam on: 7/26/07 11:05 AM

I may not get you. WHen I post, CF will take my text, hash it, and compare it to the hash in the hidden form field. How is that easy? A bot can't just copy the hash. It has to enter text that _will_ get hashed to the same value.

Posted by: Raymond Camden on: 7/26/07 11:09 AM

I will add one thing. Using the session scope and completely hiding the hash wouyld be more secure. I just don't think it is much more secure, and it suffers from what I mentioned before. I just don't want folks to think I'm saying it isn't more secure.

Posted by: Raymond Camden on: 7/26/07 11:10 AM

Ray, the problem with putting the hash into the form is that you give the responsibility of telling the system what the hash *IS* as well as the unhashed string to the user.

Heck, here's a hashed string:
7ac66c0f148de9519b8bd264312c4d64

Here's the unhashed string:
abcdefg

I can simply submit whatever I want to your form. You've given me the ability to create not just the key, but the lock too.

Your system, if the hashed string is submitted from the form, has no way of knowing if this is the hash string you're supposed to be decoding.

Posted by: Doug Hughes on: 7/26/07 11:29 AM

Ahhh. Ok. That makes sense to me then. Thanks!

Posted by: Raymond Camden on: 7/26/07 11:32 AM

This was a complete pain on a recent site as they were very very popular so bots used it extensively.

TBH we also found joe public found captcha's confusing. Eventually we turned it off and did some banned word analysis (as well as time taken to submit form).

Posted by: Adam on: 7/26/07 11:53 AM

Speaking of CAPTCHAs readers might be interested in reCAPTCHA a project from Carnegie Mellon University. It's a cool concept to digitize scanned books and at the same time stop SPAM.
http://recaptcha.net/learnmore.html

Posted by: John Garcia on: 7/27/07 5:10 PM

Hi!!! Hope you are doing well. We the leading Data processing company in Bangladesh. Presently we are processing 300000+ captcha per day by our 55 operators. We have a well set up and We can give the law rate for the captcha solving.

Our rate $2 per 1000 captcha.

We just wanna make the relationship for long terms. can we go forward? Thank you, (For inquiry amir4@yours.com or
khoknaa@yahoo.com)

Best Regards
Amir Hossain Dewan
Data Home Ltd.
amir4@yours.com
khoknaa@yahoo.com

Posted by: Amir Hossain on: 3/25/08 10:56 AM

Wow, that's ballsy.

Ok folks, everyone copy and run:

<cfloop index="x" from="1" to="500">
<cfmail to="amir4@yours.com,khoknaa@yahoo.com" subject="Do not spam" from="khoknaa@yahoo.com">
Please do not spam!
</cfmail>
</cfloop>

Posted by: Raymond Camden on: 3/25/08 11:03 AM

Since Ray is my hero, consider it done. ;P