Who Turgled?

Stopping Spam: CAPTCHA Techniques

An ongoing struggle in web application development is preventing apps from being vulnerable to exploitation by bots while keeping them friendly for the average user. It used to be standard to slap a string of garbled text on the screen and ask users to interpret it. However, as bots grow more sophisticated, images have become increasingly difficult for legitimate users to decipher, while proving increasingly ineffective at preventing malicious responses. While this approach has been abandoned even by the popular reCAPTCHA service, a number of new, more effective and more user-friendly techniques have emerged.

Math Problem

mathCaptchaExample

At first glance this may seem overly simple to prevent any sort of attack. However, there a few key elements that can make this kind of CAPTCHA effective.

The first is to disguise the markup used for the label and input elements:

Marking up the field as a “url” field will cause many spam bots to simply attempt to enter their URL into the field. You’ll next notice there are no actual numbers in the math problem. The numbers are inserted through CSS psuedo elements:

Even if a bot parsed the text on the page to determine the input was a CAPTCHA looking for a number, it wouldn’t be able to determine the numbers to solve the problem. Without parsing the CSS associated with the page, the numbers are completely invisible to any script parsing the HTML (psuedo-elements cannot be directly accessed or modified through JavaScript).

This certainly wouldn’t protect against any targeted attack, but for any small cite trying to deter blanket spam attack, this a method is simple for users to solve and difficult for bots to bypass. In addition, further security could be added by dynamically inserting numbers into the CSS.

The same effect can also be accomplished by asking the user other trivial questions.

Checkbox

This CAPTCHA solution involves simply asking the user to check a certain check box input indicating they are human. While this again might seem like an ineffectively simple solution, it would be difficult for a box to interpret text asking them if they are human or not. In fact, this is the basic method employed by Google’s new reCAPTCHA service.

A variation on this would could involve asking the user to un-check a checkbox that is checked by default.

Slider

Even more difficult for the majority of bots to bypass is a simple slider widget. While such a widget is trivially simple for humans using a touch screen or mouse, it is no simple task for a bot to emulate the same behavior. A slider can be implemented through the QapTcha jQuery plugin.

reCAPTCHA (and other services)no-captcha

In addition to reCAPTCHA, there are a number of services that provide more advance security. Combining one of the above techniques or more involved tests (at least from a technical perspective), these services provide enhance protection from even targeted attacks. This is useful in situations where your site or application may be specifically targeted and the above techniques are easily identify and accounted for by the attacker.

Ineffective and Obsolete Methods

There are few CAPTCHA methods that are no longer considered effective or that carry significant disadvantages.

Honeypot

A “honeypot” field is a field hidden with CSS and marked up to appear to bots a certain type of input, a company name for example, but that is validated to be empty to submit the form. While still effective, these fields can pose significant problems to screen readers, making the form inaccessible to who use them.

Traditional CAPTCHA

recaptcha-example

While once a staple of web forms, these services have been largely rendered obsolete as they become increasingly difficult for people to solve while increasingly easy for computers. Many sites still misguidedly employ these puzzles, but they should be avoided.

Leave a Reply

Your email address will not be published. Required fields are marked *