How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

Hi guys. Image
Would you like to know how we can use PHP Fusion 7 or PHPBB3 CAPTCHA ?
If so , see below links :
How to : Using PHP Fusion 7 CAPTCHA
How to : Using Phpbb3 captcha
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

PHP Fusion 7 CAPTCHA is weak, don't use it. The Phpbb3 CAPTCHA is also relatively weak, you should avoid it.

To build a good CAPTCHA, pay attention to the following:
- Noise
- Different fonts
- Rotation
- Random Colors
- Peturbation
- Distortion
- Waving
- Random size
- Random position

Most wave CAPTCHAs are very hard to break, one example: http://www.brainsfeed.com/uploads/google_captcha.png

And yes you can trust me, I'm a good friend of Aleksey (http://ocr-research.org.ua/) ;)
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

PHP Fusion 7 CAPTCHA is weak, don't use it. The Phpbb3 CAPTCHA is also relatively weak, you should avoid it.
Really? I didn't know it
And yes you can trust me, I'm a good friend of Aleksey (http://ocr-research.org.ua/)
Wow Image
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

BTW kaisellgren, could you post some wavy CAPTCHA class links here ?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

Mds wrote:BTW kaisellgren, could you post some wavy CAPTCHA class links here ?
Well I do not really look at other people's scripts. But if you are interested in waving effects, here is what my CAPTCHA class does:

Code: Select all

private function apply_wave()
 {
  $xp = $this -> x_period*rand(1,3);
  $k = rand(0,100);
  for ($a = 0;$a < $this -> width;$a++)
   imagecopy($this -> image,$this -> image,$a-1,sin($k+$a/$xp)*$this -> x_amplitude,$a,0,1,$this -> height);
  $yp = $this -> y_period*rand(1,2);
  $k = rand(0,100);
  for ($a = 0;$a < $this -> height;$a++)
   imagecopy($this -> image,$this -> image,sin($k+$a/$yp)*$this -> y_amplitude,$a-1,0,$a,$this -> width,1);
 }
It's just pure math, that's all. You can try different (x/y)_amplitudes and (x/y)_periods. Try setting them around 10+.
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

Thank you.
This is my CAPTCHA.
Attachments
PHP_CAPTCHA.jpg
PHP_CAPTCHA.jpg (14.42 KiB) Viewed 4254 times
Last edited by Mds on Tue Feb 24, 2009 4:15 am, edited 2 times in total.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

kaisellgren wrote:But if you are interested in waving effects, here is what my CAPTCHA class does:
...
Adding a second sin function with a bigger period and amplitude would be even better :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

VladSun wrote:
kaisellgren wrote:But if you are interested in waving effects, here is what my CAPTCHA class does:
...
Adding a second sin function with a bigger period and amplitude would be even better :)
Hmm let me try.

EDIT: This is an example what I got:

Image

Not always readable though.
Last edited by kaisellgren on Mon Jan 05, 2009 11:41 am, edited 1 time in total.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

Example:

Code: Select all

<?php
 
define('SIZEX', 500);
define('SIZEY', 200);
define('FSIZE', 10);
 
define('Y_AMPL', 3);
define('X_AMPL', 3);
define('Y_PERIOD', 4);
define('X_PERIOD', 4);
 
define('Y_AMPL2', 15);
define('X_AMPL2', 15);
define('Y_PERIOD2', 50);
define('X_PERIOD2', 50);
 
$font = 'fonts/arial.ttf'; 
 
function apply_wave(&$im)
{
    $k = rand(0,100);
    for ($a = 0; $a < SIZEX; $a++)
        imagecopy($im, $im, $a-1, sin($k+$a/X_PERIOD)*X_AMPL + sin($k+$a/X_PERIOD2)*X_AMPL2, $a, 0, 1, SIZEY);
    
    $k = rand(0,100);
    for ($a = 0;$a < SIZEY; $a++)
        imagecopy($im, $im, sin($k+$a/Y_PERIOD)*Y_AMPL + sin($k+$a/Y_PERIOD2)*Y_AMPL2, $a-1, 0, $a, SIZEX, 1);
}
 
header('Content-Type: image/png');
 
$im = imagecreatetruecolor(SIZEX, SIZEY);
 
imagettftext($im, 96, 0, 25, SIZEY - 50, imagecolorallocate( $im, 0,0,255), $font, 'PROBE');
 
apply_wave($im);
 
imagepng($im);
imagedestroy($im);
 
?>
One could play with a period changes also :)
PS: + color changes
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

I use often the "shadow" effect:

Code: Select all

header('Content-Type: image/png');
 
define('SIZEX', 500);
define('SIZEY', 200);
$font = 'fonts/arial.ttf'; 
 
$im = imagecreatetruecolor(SIZEX, SIZEY);
 
imagettftext($im, 96, 0, 25, SIZEY - 50, imagecolorallocate( $im, 0,0,255), $font, 'PROBE');
imagettftext($im, 96, 0, 22, SIZEY - 48, imagecolorallocate( $im, 0,0,0), $font, 'PROBE');
 
//apply_wave($im);
 
imagepng($im);
imagedestroy($im);
It's harder to extract the text this way while it's very readable by humans.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

Can you show me what those produce? Rather difficult to imagine it all inside my head :)

EDIT: OK, I tried the one you provided. 3,3,4,4,15,15,50,50 that's rather good.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

Notice the names of the attached files
Attachments
wave.png
wave.png (6.46 KiB) Viewed 4285 times
shadow-wave.png
shadow-wave.png (6.2 KiB) Viewed 4285 times
shadow.png
shadow.png (5.08 KiB) Viewed 4284 times
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

Image
Values used:

Code: Select all

  $xperiod = 4;
   $yperiod = 4;
   $xamplitude = 3;
   $yamplitude = 3;
// Second wave
   $xperiod = 50;
   $yperiod = 50;
   $xamplitude = 15;
   $yamplitude = 15;
Plus your shadow effect as orange against white bg. This forces the bg color to be exact... (like black so it has a purpose).
Last edited by kaisellgren on Mon Jan 05, 2009 12:36 pm, edited 3 times in total.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

The purpose of the shadow effect is to make the text contours noncontinuous.
This feature makes the text hard to extract by algorithms.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

VladSun wrote:The purpose of the shadow effect is to make the text contours noncontinuous.
This feature makes the text hard to extract by algorithms.
shadow.png is very weak, however, combined with the wave effect it becomes very strong.

Waving is proven to be very strong method among 2D CAPTCHAs. I myself prefer 3D CAPTCHAs, in which the abstraction of 3D matters a lot.

EDIT: I can't think of a solid way to break the wave-shadowed CAPTCHA. But I do not like the difficulty of reading it though :/
Post Reply