<cfsilence>

Most Difficult Captcha Of All Time

Posted At : July 26, 2007 9:28 AM | Posted By : todd sharp
Related Categories: ColdFusion

I was working with the new cfimage tag last night to help me create some simple CAPTCHAs for my new site. The docs have a pretty good example, but for some reason I was having issues getting the darn thing working. It kept throwing errors about the image not being wide enough. The docs explain it like this:

For the CAPTCHA image to display, the width value must be greater than: fontSize times the number of characters specified in text times 1.08.

So I kept increasing the size of my image and reducing the font until I finally got the darn thing to render. Here's what it looked like:

captcha

I very quickly realized what the problem was. To generate the text for the CAPTCHA I was creating a random string. To validate the captcha you need to hash that string and plug the hashed value into a hidden form field. Then when the form is submitted you compare the hashed string with the hashed user input - validating if they match. Apparently I had mistakenly plugged the hashed string into the cfimage tag leading to the nearly impossible CAPTCHA.

Comments (16) |

Print |

Send |

del.icio.us |

Linking Blogs | 2109 Views

Comments

[Add Comment]

This one here is on a similar difficulty scale, for a different reason (refresh it a few times):

http://random.irb.hr/signup.php

# Posted By duncan | 7/26/07 10:00 AM

Sadly it's an image too. I'd venture to guess that even spam bots couldn't figure half of those out :)

# Posted By todd sharp | 7/26/07 10:07 AM

Hi,
I didn't think you wanted to 'store' the hashed value inside the form. In effect this would allow somebody to visually work out the value, and then build their own form.

We had this problem with a number of spam bots. Once a human matched hash to value, they could submit as many times as they like. Of

Adam

# Posted By Adam | 7/26/07 10:45 AM

Hey Todd,

Why not just store you captcha in session scope, its pretty secure.

By storing it in a hidden form field you "expose" your captcha for all to see. Ok so its hashed but....

a few weeks a go I wrote a blog entry on the cf8 captcha.
http://www.garyrgilbert.com/blog/index.cfm/2007/7/...

# Posted By Gary Gilbert | 7/26/07 10:49 AM

One drawback to sessions though is that if you sit on a comment for a while before posting, your session will timeout.

I think hashes are more than enough secure. You can break them with hash dictionaries, but that kind of attack would be pretty slow on a blog (afaik).

# Posted By Raymond Camden | 7/26/07 10:54 AM

The issue is does the hash value compared with the user input dictate success? If yes, then this is very simple for a spam bot to overcome as they only have to 'store' the form once.

You can use session, you can even have a submission marker held in the application scope, that is used up once a successful submit it retrieved.

TBH keeping the hash inside the form is a no-no in my books.

# Posted By Adam | 7/26/07 11:05 AM

I may not get you. WHen I post, CF will take my text, hash it, and compare it to the hash in the hidden form field. How is that easy? A bot can't just copy the hash. It has to enter text that _will_ get hashed to the same value.

# Posted By Raymond Camden | 7/26/07 11:09 AM

I will add one thing. Using the session scope and completely hiding the hash wouyld be more secure. I just don't think it is much more secure, and it suffers from what I mentioned before. I just don't want folks to think I'm saying it isn't more secure.

# Posted By Raymond Camden | 7/26/07 11:10 AM

Ray, the problem with putting the hash into the form is that you give the responsibility of telling the system what the hash *IS* as well as the unhashed string to the user.

Heck, here's a hashed string:
7ac66c0f148de9519b8bd264312c4d64

Here's the unhashed string:
abcdefg

I can simply submit whatever I want to your form. You've given me the ability to create not just the key, but the lock too.

Your system, if the hashed string is submitted from the form, has no way of knowing if this is the hash string you're supposed to be decoding.

# Posted By Doug Hughes | 7/26/07 11:29 AM

Ahhh. Ok. That makes sense to me then. Thanks!

# Posted By Raymond Camden | 7/26/07 11:32 AM

This was a complete pain on a recent site as they were very very popular so bots used it extensively.

TBH we also found joe public found captcha's confusing. Eventually we turned it off and did some banned word analysis (as well as time taken to submit form).

# Posted By Adam | 7/26/07 11:53 AM

Speaking of CAPTCHAs readers might be interested in reCAPTCHA a project from Carnegie Mellon University. It's a cool concept to digitize scanned books and at the same time stop SPAM.
http://recaptcha.net/learnmore.html

# Posted By John Garcia | 7/27/07 5:10 PM

Hi!!! Hope you are doing well. We the leading Data processing company in Bangladesh. Presently we are processing 300000+ captcha per day by our 55 operators. We have a well set up and We can give the law rate for the captcha solving.

Our rate $2 per 1000 captcha.

We just wanna make the relationship for long terms. can we go forward? Thank you, (For inquiry amir4@yours.com or
khoknaa@yahoo.com)

Best Regards
Amir Hossain Dewan
Data Home Ltd.
amir4@yours.com
khoknaa@yahoo.com

# Posted By Amir Hossain | 3/25/08 10:56 AM

Wow, that's ballsy.

Ok folks, everyone copy and run:

<cfloop index="x" from="1" to="500">
<cfmail to="amir4@yours.com,khoknaa@yahoo.com" subject="Do not spam" from="khoknaa@yahoo.com">
Please do not spam!
</cfmail>
</cfloop>

# Posted By Raymond Camden | 3/25/08 11:03 AM

Since Ray is my hero, consider it done. ;P

# Posted By Shane Zehnder | 3/26/08 12:57 PM

Now that seems like a perfect job for a scheduled task.. Hypothetically speaking of course ;-)

# Posted By cfSearching | 3/26/08 1:26 PM

[Add Comment]

What's New

SlideSix.com
Advanced ColdFusion Ajax Feed Reader
CFSnippets.org
PowerPoint To HTML
PPTUtils Demo
2007 CFeMmy Winners
Be My Secret Santa
Model-Glue Cookbook
Bored? Try Word Art!

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31

Enter your email address to subscribe to this blog.

Archives By Subject

Actionscript (21) [RSS]
AIR (1) [RSS]
Ajax (42) [RSS]
Ant (2) [RSS]
Apache Derby (3) [RSS]
Blogging (23) [RSS]
cfcExplorer (2) [RSS]
cfcFlexplorer (5) [RSS]
cfCodePress (1) [RSS]
CFCs (4) [RSS]
CFDdlUtils (1) [RSS]
CFEclipse (7) [RSS]
CFeMmys (4) [RSS]
cfImageCropper (5) [RSS]
cfResizer (1) [RSS]
cfsnippets (15) [RSS]
cfTimeline (7) [RSS]
CFUnited 2007 (5) [RSS]
Code Generation (6) [RSS]
ColdFusion (284) [RSS]
CSS (3) [RSS]
Eclipse (4) [RSS]
Excel Hacks (2) [RSS]
Excel Tips (1) [RSS]
Ext (5) [RSS]
Flash Forms (37) [RSS]
Flex (21) [RSS]
Funny Stuff (10) [RSS]
Gadgets and Technology (2) [RSS]
Gaming (8) [RSS]
IIS (2) [RSS]
iLearn (2) [RSS]
InstantSpot (3) [RSS]
Java (4) [RSS]
JavaScript (6) [RSS]
jQuery (4) [RSS]
JSON (1) [RSS]
Junk (1) [RSS]
Mach-ii (2) [RSS]
Management (2) [RSS]
Misc (29) [RSS]
Mobile (1) [RSS]
Model-Glue (12) [RSS]
Off Topic (30) [RSS]
OO (5) [RSS]
Personal (31) [RSS]
picViewer (3) [RSS]
pptutils (2) [RSS]
Project Learn (10) [RSS]
Rants (9) [RSS]
Rich Applications (2) [RSS]
Sharepoint (1) [RSS]
SlideSix (18) [RSS]
SQL (36) [RSS]
Usability (3) [RSS]
Vista (2) [RSS]
Web 2.0 (2) [RSS]
XML (1) [RSS]

my apps

Genesis
Ymap
picViewer
gCal

<cfsilence>

Most Difficult Captcha Of All Time

What's New

Calendar

Subscribe

Archives By Subject

Tags

Recent Entries

Recent Comments

Blogs I Read

my apps

RSS