Print

CAPTCHA

What is CAPTCHA?

  • Stands for Completely Automated Public Turing Test To Tell Computers and Humans Apart.
  • A program that can tell whether its user is a human or a computer.
  • In terms of Web applications, it is an automated process for determining whether an internet form submission is completed by a legitimate human user or a malicious bot.
  • The term was formalized in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University.

Why Need CAPTCHA?

  • A website need to provide an HTML form for visitors to send input.
  • HTTP does not distinguish between human & machine users.
  • Malicious and anonymous spam bots can be automated and distributed.

Applications of CAPTCHA

  • Preventing blogs spam.
  • Protecting website registrations spam.
  • Protecting online polls spam.
  • Preventing dictionary attacks in password cracking.
  • Preventing unwanted crawlling of search engine bots.

General Approaches

  • Textual: ASCII/Unicode
  • Visual: image, animation, 3-D
  • Audio: speech
  • Combinations of all above

Text approach

  • Change text to look-alike: SPAM is $P4M.
  • Accented or non-English chars: Sp�m 
  • Chars to words: uce@ftc.gov --> uce at ftc dot gov
  • URL/HTML codes: COPY becomes ¢0Ρ¥ or %430P%59
  • Better than nothing, but easy to crack
  • Technically it is not CAPTCHA.
  • Session cookies?
  • Demo 1

Image Approach

  • It can increase the complexity of detection via channel distortions, random rotation, and binary noise.
  • If image is too simple, OCR can crack; too complex or too much noise, human cannot read.
  • To beat OCR, vary position, warp, noise, background, colors, overlap, randomness, font, angles, language, methods can be used
  • Show filtered photos as well as words
  • Can deny accessibility to vision-impaired
  • Demo 2

Facts

  • Even simplest CAPTCHA can beat vast majority of scripts.
  • Even best CAPTCHA can be cracked by dedicated, sophisticated coders.
  • Weigh strength vs. cost (compute cycles, bandwidth, dollars).
  • Be careful not to violate accessibility laws or open new holes. 

Develop CAPTCHA Applications in ASP.net 

  • Develop/download a CAPTCHA control and use the axd handlers to download resources embedded in the control.
    1. Add the control as a new reference.
    2. Add a new key to the web.config file:
        <system.web>
          <httpHandlers>
            <add verb="GET" path="CaptchaImage.axd" type="MSCaptcha.captchaImageHandler, MSCaptcha" />
          </httpHandlers>
        </system.web>
    3. Register the control on the .aspx page:
      <%@ Register Assembly="CaptchaControName" Namespace="CaptchaControNamespace" TagPrefix="CaptchaControTabPrefix" %>
    4. Add the CAPTCHA control on the .aspx page:
      <CaptchaTabPrefix:CaptchaControlName ID="CaptchaControlID" runat="server" ... />
    5. Write the validation code:
      Protected Sub btnValidation_Click(ByVal sender As Object,
             ByVal e As System.EventArgs)
            CaptchaControlID.CaptchaControValidationFunctionName(txtCaptcha.Text.Trim())
            If  Then   
                 lblMessage.Text = "Correct"
            Else
                 lblMessage.Text = "Wrong"
            End If
      End Sub
    6. Demo 3
  • Develop CAPTCHA code in an axhd general handlers to process the response/request.
    1. Write/Download a program to render bitmap image as the content output using the Graphics class in System.Drawing namespace The created bitmap object can be converted to byte array and displayed in the page.
    2. Include a generic handler that can render the content of a session variable as an image. 
    3. In the .aspx page, drag an Image control and textbox control to enter the displayed code. With the help of custom validator control, validate the user input with the session variable content. 
    4. Demo 4

ASP.net CAPTCHA Controls

Tutorial