writting own registration text validator

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

writting own registration text validator

Post by divx »

Hi,

Im thinking of writting my own Text(picture) verification

I know there are methods out there, but I dont want to use standards (since i know the common ones always get hacked eventualy).

Im thinking of writting this in php, where the php gets a image number (say from the milliesecond that the user has gone to the registration of this page) eg, 01 millseconds = pic 1 (an algorithum will modify this, but you get the idea)

But I have then run into security problems, with various approaches:

1. onSend the javaScript can verify that the image the same as the input eg 01img = Myinput
- security problem, javascript can be searched

2. imageNumber can be varified by php that imageNumber corresponds to Myinput
- cant see anyproblems with this so far

Anyone done this before, any infomation on this sort of thing would be appreciated, thx
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

They are called captcha's, and most php based ones I know of use session variables.
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

Post by divx »

cheers, I think nmost captchas use the php GD2 library (im not hosting this one myself), so i dont think I can really go down there?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Most captchas actually generate an image, not retrieve a pre-generated image. Your method is much easier to hack.
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

Post by divx »

I dont know how, but they have been hacked. (just look at most of the discussion about this in vbulletin)

Pregenerated may not be as bad as u might 1st think, since once someone designs a hack, just upload a new batch of images with different values.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

divx wrote:I dont know how, but they have been hacked. (just look at most of the discussion about this in vbulletin)

Pregenerated may not be as bad as u might 1st think, since once someone designs a hack, just upload a new batch of images with different values.
That seems awfully painful to have to design the new images everytime. Why not generate the images on the fly randomly changing things such as background, distortion, letter size, pitch, color, etc.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You may even want to go the Digg route where it's hard for humans to read what the captcha says, let alone a bot.
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

Post by divx »

superdezign wrote:You may even want to go the Digg route where it's hard for humans to read what the captcha says, let alone a bot.
hmm, no i reallly wouldnt want to do that, lets face it its not neural networks reading the images, most of these generators have simply just been hacked (via code exploits).
Last edited by divx on Wed Jul 18, 2007 5:14 pm, edited 1 time in total.
divx
Forum Newbie
Posts: 20
Joined: Sun Jul 01, 2007 1:37 pm

Post by divx »

Jcart wrote:
divx wrote:I dont know how, but they have been hacked. (just look at most of the discussion about this in vbulletin)

Pregenerated may not be as bad as u might 1st think, since once someone designs a hack, just upload a new batch of images with different values.
That seems awfully painful to have to design the new images everytime. Why not generate the images on the fly randomly changing things such as background, distortion, letter size, pitch, color, etc.
Maybe not as painfull as you might think, predefined sets for each week, 52 sets, all mutually exlusive. Nobody will want to redisign a macro to resubmit for 1 week, and then have to design another one.

I think generating on the fly makes me prone, since once its hacked once, it stays hacked until the way they hacked it is figured out, and a patch can be applied.

maybe a combination of these ideas will seal the deal
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

divx wrote:lets face it its not neural networks reading the images, most of these generators have simply just been hacked (via code exploits).
You seem so certain in what you say, so why coming here looking for advice and then discarding it?
You are also wrong, most attempts at defeating CAPTCHA-s are indeed algorythmic, not exploit-based.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Mordred wrote:most attempts at defeating CAPTCHA-s are indeed algorythmic, not exploit-based.
Indeed.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

divx wrote:
Jcart wrote:
divx wrote:I dont know how, but they have been hacked. (just look at most of the discussion about this in vbulletin)

Pregenerated may not be as bad as u might 1st think, since once someone designs a hack, just upload a new batch of images with different values.
That seems awfully painful to have to design the new images everytime. Why not generate the images on the fly randomly changing things such as background, distortion, letter size, pitch, color, etc.
Maybe not as painfull as you might think, predefined sets for each week, 52 sets, all mutually exlusive. Nobody will want to redisign a macro to resubmit for 1 week, and then have to design another one.

I think generating on the fly makes me prone, since once its hacked once, it stays hacked until the way they hacked it is figured out, and a patch can be applied.

maybe a combination of these ideas will seal the deal
I'm not sure you quite understood my last post. This generally only applies if you have fixed attributes on your captcha, such as a static background image. Essentially, if all your attributes are dynamic and highly random I don't see how it's easily possible to break the captcha without the use of a very clever OCR program. So please tell me, if someone creates a program that can break highly dynamic captchas whats to stop them from breaking yours as well?
User avatar
The Phoenix
Forum Contributor
Posts: 294
Joined: Fri Oct 06, 2006 8:12 pm

Post by The Phoenix »

Most captchas are broken by optical character recognition (OCR). Here's a good example breaking down some of the "how": http://sam.zoy.org/pwntcha/

The summary version is that it can 'guess' where letters are based on common fonts, positions, rendering, and so forth.

There is a considerable amount of work in the security field on breaking them precisely because they are being used to secure resources.

Lets simplify the examples to clarify things. Lets say you pre-generate an image of a number 1-9. On the other hand, Bob generates (real-time) images of a number 1-9. An attacker finds a way to identify those numbers reliably.

Bob has to change his algorithm.

You have to change your algorithm also. But you also need to generate the images, and then upload them. Then you need to use different names for your images so that the cached versions people already received from your site won't linger.

For 9 images, thats not too unreasonable. For 36 images, it should be an obvious disadvantage.

No matter how you slice it, dynamically generated images will be easier to maintain in an attack/response environment.

Worse, by having pre-generated images, the attacker can download the very small set (9? 36?) of images, and be sure he has 100% of the images he needs to be able to guess. With dynamic image generation, you can combine multiple items into one image, forcing the number of potential solutions much higher (thousands or more).
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

The Phoenix wrote:Worse, by having pre-generated images, the attacker can download the very small set (9? 36?) of images, and be sure he has 100% of the images he needs to be able to guess. With dynamic image generation, you can combine multiple items into one image, forcing the number of potential solutions much higher (thousands or more).
And, you can save some server space.
Post Reply