Alternating Sequential User Input Challenge - ASUIC

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Groone
Forum Newbie
Posts: 13
Joined: Mon Jan 30, 2006 6:30 am
Location: Mobile, Alabama USA
Contact:

Alternating Sequential User Input Challenge - ASUIC

Post by Groone »

Okay, so I am trying an alternative type of challenge which I have termed - Alternating Sequential User Input Challenge or ASUIC.

Basically, it takes a sequence of letters, or numbers. Randomly takes a selection of these sequences and then randomly removes one of the letters or numbers. Then in a multiple choice format, you are asked the question, "which item is missing?" You will then answer the correct answer.

Well, I can't explain it that good, so here is the code.

Code: Select all

<?php
   switch (mt_rand(1,2)){
        case 1:
           $alphanumeric = "12345678987654321";
           break;
        case 2:
           $alphanumeric = "ABCDEFGHIHGFEDCBA";
           break;
    }

    $str=substr($alphanumeric,mt_rand(0,12), 5);
    $random=mt_rand(0,4);
    $strTmp=substr($str, 0, $random). "_".substr($str, $random+1, 5-$random);
    $missing=substr($str, $random,1);

    echo "The sequence: ".$alphanumeric."<br>";
    echo "What is missing from this sequence?  ".$strTmp."<br>";  
    echo "Possible Answers: <br><br>";
    
    switch (mt_rand(1,2)){
         case 1:
                $answer = array("A.) ", "B.) ", "C.) ", "D.) ", "E.) ", "F.) ");
                break;
         case 2:
                $answer = array("1.) ", "2.) ", "3.) ", "4.) ", "5.) ", "6.) ");
                break;
     }
       $placement = mt_rand(0,5);

        $limit = count($answer);
        

        for ($i=0; $i<$limit; $i++){
            if ($i == $placement){
                 echo $answer[$i].$missing."<br>";
                 $correct = $answer[$i].$missing;
            }else{
                  $str=substr($alphanumeric,mt_rand(0,12), 1);
                  while ($missing == $str){
                     $str=substr($alphanumeric,mt_rand(0,12), 1);
                   }
                  echo $answer[$i].$str."<br>";
            }
        }
        echo "<br><br>Do Your Own Process on This - ".$correct;
?>
This should be pretty hard to scan with an OCR because you have to make a decision that is different every time. I suppose a lucky chance can get it, but seems pretty difficult to me. What do you think?

The output looks like this
The sequence: 12345678987654321
What is missing from this sequence? _7654
Possible Answers:

A.) 4
B.) 1
C.) 7
D.) 8
E.) 3
F.) 6


Do Your Own Process on This - D.) 8
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Alternating Sequential User Input Challenge - ASUIC

Post by Roja »

Groone wrote:This should be pretty hard to scan with an OCR because you have to make a decision that is different every time.
OCR = Optical Character Recognition. It means recognizing characters in an image. Doesn't apply here.
Groone wrote:I suppose a lucky chance can get it, but seems pretty difficult to me. What do you think?
Seems easy to me. You just need to substr the "missing sequence" against the full sequence, and get the difference. Set the start for the substr to the first character after _, and then once you have the match in the main string, substr back one character. Done.

Highly scriptable.

Sequential is the downside to this. Here's an alternative. Offer a contextual challenge response instead.

Context matters, and you can vary the questions.. for example:

Bob's father is Steve. Steve's father is Alex.

Who is Alex's son?
Who is Steve's son?
Who is Bob's grandfather?
Who is Alex's grandson?

Notice the statement doesn't specifically state *any* of those items without recognizing the context. Its a slightly bad/biased example because it uses family relationships.. not every society is similar in its phrasing, and you might confuse some people.

But if you offer multiple types of contextual challenges, you should within 2-3 questions find one that pretty much any human can answer.

Low false-positive rate, low false-negative rate. Its good stuff.
Groone
Forum Newbie
Posts: 13
Joined: Mon Jan 30, 2006 6:30 am
Location: Mobile, Alabama USA
Contact:

Post by Groone »

Thanks for the quick reply, and I understand what you are saying.

If we process the entire answer set as an answer, such as A.) A then the scripters would have to really work hard to script it wouldn't they?

If I were to have a series of questions, say a 100 questions. A scripter, by simply taking all the questions and pairing them with the correct answer then doing an compare with what was on the form could build a switch that easily finds the answers I would think.


Edit: After thinking about it, I could probably change the question a bit to say something like, "The first number is missing, what is it?" and then show the sequence, minus the underscore. Then under it have the possible answers. The word first would be a randomly generated number from 1 to how ever long the string is.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Groone wrote:Edit: After thinking about it, I could probably change the question a bit to say something like, "The first number is missing, what is it?" and then show the sequence, minus the underscore. Then under it have the possible answers. The word first would be a randomly generated number from 1 to how ever long the string is.
Thats a significant improvement. The solution to scripting the answer doesnt come immediately to mind, so it is at least an improvement over the original idea. :)

I'll think it over and see if I can figure out a scriptable attack for it. Hopefully other posters will have ideas too.
Groone
Forum Newbie
Posts: 13
Joined: Mon Jan 30, 2006 6:30 am
Location: Mobile, Alabama USA
Contact:

Post by Groone »

I got busy at work today so wasn't able to finish writing it. I will endeavor to complete it when I get home and put it on the guest book and let you, and whoever else, spam it. See if it would be easy enough.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Ok, I'm surprised no one has mentioned these:




Have 3 images - A, B, and C they would read. One of the images would be completely grayed out. It would ask the user which letter is grayed out (it would always be in sequential order). Pre-requisites to answering it are knowing the first 3 letters of the alphabet and being able to read black text on a white background. This however is very vulnerable to OCR, but better then the traditional captcha in my opinion. Another play on this would be to replace one letter with a number and ask them which box contains a number.




Another method I've seen is an image that contains text that says "Check the first and third box, leaving the middle box unchecked" and it has 3 checkboxs underneath it. You can play with the context to make it difficult to script for it - "Do not check any boxes except for the middle box", "Check all the boxes except for the third", etc.. mix "third" with "last"
Groone
Forum Newbie
Posts: 13
Joined: Mon Jan 30, 2006 6:30 am
Location: Mobile, Alabama USA
Contact:

Post by Groone »

Okay, I finished the code for it, so go ahead and try it out.

http://www.groonesworld.com/gbook/index.php?act=add

It's interesting concept to say the least. Will definately stop stupid people rofl :lol:
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

In my opinion this is a poor idea, you're complicating the process for the user and this is easily scripted.. just using an old fashioned captcha would be better than this in terms of stopping bots.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

jshpro2 wrote:In my opinion this is a poor idea, you're complicating the process for the user and this is easily scripted.. just using an old fashioned captcha would be better than this in terms of stopping bots.
Agreed. If I was confronted with anything that complex, I'd likely blow it off.

And yes, that is easily scripted.
Groone
Forum Newbie
Posts: 13
Joined: Mon Jan 30, 2006 6:30 am
Location: Mobile, Alabama USA
Contact:

Post by Groone »

Is it easily scripted? Not that I doubt it, but I would like to see it spammed in action.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Not that you've asked, but don't push anyone to try, as it violates US law if they do...
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Even so, like I'm really going to spend time writing a spam bot to prove something to you when you can't just take my word for it.



Take our advise or leave it, its your application


Edit: this is all assuming the implied request to write a spambot
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Wouldn't this work much better?

You have the input form where you input the text. On this site create a unique random number and save it to a session. Link the form to a verification script.

The verification script validates the data, places the data into hidden form, creates a hash of all data plus a secet passphrase and uncrypts the session number, increment it. Link the verification form to the submit script.

In the submit script check the hash against the data and check the incremented number agaist the original number. If all is ok submit if not don't submit.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

That would prevent what? Spammers that don't have access to CURL or low level sockets?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Call me a block, but how does that prevent spam?
Post Reply