This is a place to talk about CAPTCHA.
[Encoding]
CAPTCHA - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Captcha
http://www.captcha.net/
Quote:
CAPTCHA: Telling Humans and Computers Apart Automatically
A CAPTCHA is a program that can generate and grade tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can't:
CAPTCHA example
The term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University. At the time, they developed the first CAPTCHA to be used by Yahoo.
|
(Highly recommended to read) Escape from CAPTCHA by Matt May
http://www.w3.org/2004/Talks/0319-cs.../Overview.html
(Highly recommended to read)
Inaccessibility of CAPTCHA
Alternatives to Visual Turing Tests on the Web
W3C Working Group Note 23 November 2005
http://www.w3.org/TR/turingtest/
Spam-bot tests flunk the blind
http://news.com.com/2100-1032-1022814.html
[Decoding]
PWNtcha - captcha decoder
http://sam.zoy.org/pwntcha/
Quote:
|
PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations.
|
phpBB CATCHA is easily decoded by PWNtcha.
vBulletin CATCHA is easily decoded by PWNtcha.
Decoding EZ-Gimpy
http://www.cs.sfu.ca/~mori/research/...igh_level.html
Quote:
High Level Description
1. EZ-Gimpy
Our algorithm for breaking EZ-Gimpy consists of 3 main steps:
1. Locate possible letters at various locations
2. Construct graph of consistent letters
3. Look for plausible words in the graph
|
Using AI to beat CAPTCHA and post comment spam
http://www.brains-n-brawn.com/defaul...vDir=aicaptcha
Breaking CAPTCHAs Without Using OCR
*** Through the Session ID
http://www.puremango.co.uk/cm_breaking_captcha_115.php
Quote:
Breaking CAPTCHAs Without Using OCR
For my own PHP CAPTCHA implementation, click here:
http://www.puremango.co.uk/cm_php_ca...script_113.php
This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software.
Most CAPTCHAs don't destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.
I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.
manual steps:
connect to captcha page
record session ID and captcha plaintext
automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;
name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually
the other user data can change on each request
you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text.
This is -easy- to fix, here's the vulnerable pseudocode:
if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then
process_form();
endif:
fixed psuedocode:
if form_submitted and captcha_stored!="" and
captcha_sent=captcha_stored then
captcha_stored="";
process_form();
endif:
- it's a one line fix!
|
http://linus.com/2003/05/cool-new-captcha-hack.html
Quote:
Cool new CAPTCHA hack
The CAPTCHA Project at CMU defines CAPTCHAs as a program that can generate and grade tests that most humans can pass but current computer programs cannot. CAPTCHAs are used to protect things from programmatic abuse (think spam). Not a bad idea, but I just got a note from Bryce Jasmer describing a cool new way to defeat them:
I just heard a story about some system that someone has created in order to pass the turing tests and create thousands of spam launching email addresses at hotmail.com, yahoo.com, etc.
You create a website with a bunch of porn on it. You serve up an image at the same time you try to try to create a yahoo email account. You snag the touring test image, put it on your page of porn and have the user type in the results in order to see the next porn image. You take the result and feed it back to yahoo, and you have your automatically created account.
|
Spammers hack captcha to post blog spam comments?
http://blog.tmcnet.com/blog/tom-keat...m-comments.asp