[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Fake Captcha Protection

From: "Rohit Lists" <rklists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Fake Captcha Protection
Date: Wed, 7 May 2008 19:27:11 -0400

If I understand your question correctly, you're asking what would stop
the attacking tool from enumerating all the possible combinations of
parameters - that's a good point, and I suppose it depends on how many
combinations are actually offered. On the other hand, it looks like
some tools (e.g. http://www.cs.sfu.ca/~mori/research/gimpy/) seem to
be able to break captchas with many different parameters.

Your project seems like an interesting alternative. I'd definitely
like to see how the project turns out and how effective it is at
stopping OCR-based attacks.

Cheers,

Rohit

On Wed, May 7, 2008 at 12:52 PM, Stephan Wehner <stephanwehner@xxxxxxxxx> wrote:
> On Tue, May 6, 2008 at 9:52 PM, Rohit Lists <rklists@xxxxxxxxx> wrote:
>
>  >  If you were so inclined, you could change the parameters (and
>  >  therefore the style of the image) on a regular basis to force a cat
>  >  and mouse game for image analysis tools. This may not stop a
>
>  You mean the administrator changes the parameters ? On what basis
>  could that step not be automated in your scheme?
>
>  I recently put together a CAPTCHA using background photos, see
>  http://preview.stephansmap.org/sign_up
>  Here defining the placement of the CAPTCHA text is a manual step
>  (selecting suitable photos as well)
>
>  Stephan
>
>  --
>  Stephan Wehner
>
>  -> http://stephan.sugarmotor.org
>  -> http://www.thrackle.org
>  -> http://www.buckmaster.ca
>  -> http://www.trafficlife.com
>  -> http://stephansmap.org
>
>
>
>  ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List Archives:
>  http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:
>  http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Fake Captcha Protection
  - From: Stephan Wehner

References:
- Re: [WEB SECURITY] Fake Captcha Protection
  - From: Rohit Lists
- Re: [WEB SECURITY] Fake Captcha Protection
  - From: Stephan Wehner

Prev by Date: [WEB SECURITY] Re: Odd XSS Exploit
Next by Date: Re: [WEB SECURITY] Fake Captcha Protection
Previous by thread: Re: [WEB SECURITY] Fake Captcha Protection
Next by thread: Re: [WEB SECURITY] Fake Captcha Protection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site