How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

Oh dear :D

Image

Code: Select all

<?php
 
define('SIZEX', 500);
define('SIZEY', 200);
define('FSIZE', 10);
 
define('Y_AMPL', 3);
define('X_AMPL', 3);
define('Y_PERIOD', 4);
define('X_PERIOD', 4);
 
define('Y_AMPL2', 15);
define('X_AMPL2', 15);
define('Y_PERIOD2', 50);
define('X_PERIOD2', 50);
 
$font = 'VeraSans.ttf';
 
function apply_wave(&$im)
{
    $k = rand(0,100);
    for ($a = 0; $a < SIZEX; $a++)
        imagecopy($im, $im, $a-1, sin($k+$a/X_PERIOD)*X_AMPL + sin($k+$a/X_PERIOD2)*X_AMPL2, $a, 0, 1, SIZEY);
   
    $k = rand(0,100);
    for ($a = 0;$a < SIZEY; $a++)
        imagecopy($im, $im, sin($k+$a/Y_PERIOD)*Y_AMPL + sin($k+$a/Y_PERIOD2)*Y_AMPL2, $a-1, 0, $a, SIZEX, 1);
}
 
header('Content-Type: image/png');
 
$im = imagecreatetruecolor(SIZEX, SIZEY);
 
imagettftext($im, 50, 0, 28, SIZEY - 52, imagecolorallocate( $im, 0,0,255), $font, 'DevNetwork');
imagettftext($im, 50, 0, 25, SIZEY - 50, imagecolorallocate( $im, 0,0,0), $font, 'DevNetwork');
 
apply_wave($im);
 
imagepng($im);
imagedestroy($im);
 
?>
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

kaisellgren wrote:I can't think of a solid way to break the wave-shadowed CAPTCHA. But I do not like the difficulty of reading it though :/
I have some DSP background (especially image processing) - my master degree and my started, but not finished PhD :(
I've been working on data embedding in multimedia documents - more precisely "watermarking". So, there are some very difficult to protect agains attacks - one of those is local geometric transformations attack.
It's very close to generating good CAPTCHAs because one who intend to remove the watermark, must not decrease the quality of the picture (that's for readability in CAPTCHA). The level of watermark protection is referred to the level of CAPTCHA anti-bot protection.

So maybe local geometric transformations will be good for generating strong CAPTCHA images.
Last edited by VladSun on Mon Jan 05, 2009 1:13 pm, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

VladSun wrote:So maybe local geometric transformations will be good for generating strong CAPTCHA images.
Not maybe, they are. I'm myself just a fanatic of CAPTCHAs, but my good friend does it for job (both generating and cracking - cracked Microsoft's CAPTCHA twice, Google's once, so on... :))

By the way, what's DSP?

The general idea of making a good CAPTCHA is to use the advantage of human mind. Geometric illusions, delineateation of shapes, models, etc. Transformatiom will therefore ask a lot about understanding of these which human beings can do far better than bots. Theoretically it's impossible to protect yourself, one can build a bot that is identical to a human mind, although this won't happen anytime soon :P

Third dimension makes everything far better. Placing objects, corners, shapes, partly into background, front, transforming geometry, etc will make it extremely hard to break a CAPTCHA.

There's a general misunderstanding with fourth dimension (4D). That is not good for CAPTCHAs. By 4D I'm talking about time. For example, https://www.e-gold.com/acct/login.html CAPTCHA is weak. I did break this with my friend (not all alone, but lots of :)). It's nothing special though. Just extract the frames (the time - 4th dimension) from the GIF. Then separate the letters which is easy they dont even collide each other. Then just separate the text by extracting all white colors. Apply to a CCL and get your letters. Done. Broken.

Thanks for telling about that watermark thought of yours, I have never thought about that myself yet.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

kaisellgren wrote:By the way, what's DSP?
Digital Signal Processing
kaisellgren wrote:Thanks for telling about that watermark thought of yours, I have never thought about that myself yet.
Neither have I ... till now :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

kaisellgren wrote:The general idea of making a good CAPTCHA is to use the advantage of human mind.
That's almost the same in watermarking stuff - one uses the peculiarities of the human perception.
There are well known effects, such as the "masking signal" one - http://en.wikipedia.org/wiki/Auditory_masking , and many more.
Now, I can see the relationships between DSP approaches and CAPTCHA issues.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

VladSun wrote:
kaisellgren wrote:The general idea of making a good CAPTCHA is to use the advantage of human mind.
That's almost the same in watermarking stuff - one uses the peculiarities of the human perception.
There are well known effects, such as the "masking signal" one - http://en.wikipedia.org/wiki/Auditory_masking , and many more.
Now, I can see the relationships between DSP approaches and CAPTCHA issues.
Interesting. Can you list me some more 'effects'? Maybe I could use them for my CAPTCHA class :P
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

yeah , Please post them here :lol:
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by VladSun »

Hm, I tried to crack the 3D CAPTCHA referred above.
I used simple morphological operations and a low-pass filter.
It should be much easier for the OCR now :)
Attachments
crack-no-loww-pass.png
crack-no-loww-pass.png (1.74 KiB) Viewed 2357 times
crack.png
crack.png (9.61 KiB) Viewed 2357 times
captcha.png
captcha.png (14.11 KiB) Viewed 2357 times
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

VladSun wrote:Hm, I tried to crack the 3D CAPTCHA referred above.
I used simple morphological operations and a low-pass filter.
It should be much easier for the OCR now :)
There we go, definetly much easier for the OCR :)
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

Who can post some references for creating 3D CAPTCHA ?
I really in favor of it.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

Mds wrote:Who can post some references for creating 3D CAPTCHA ?
I really in favor of it.
CAPTCHAs are meant to prevent automatic bots from doing things you do not want them to do. If you are creating a CAPTCHA, you must know the fundamentals of CAPTCHA creation. What I am trying to say that if you are to create a CAPTCHA and you have no idea how to make one - it will not be suitable for production use.

What kind of 3D CAPTCHA would you like to create? Use your brains. There are several ways to make one. You could start with something rather simple. Think about the letter A, how would you draw it in 3D on a paper? Do the same thing with PHP.
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

Thank you kaisellgren.
What kind of 3D CAPTCHA would you like to create? Use your brains. There are several ways to make one. You could start with something rather simple. Think about the letter A, how would you draw it in 3D on a paper? Do the same thing with PHP.
Actually , I'm going to create a CAPTCHA like this.
Unfortunately I don't have enough information about creating 3D images, and how we can create a 3D letter in an image.
So , I've needed some references about 3D to learn before starting my project.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by kaisellgren »

Mds wrote:Thank you kaisellgren.
What kind of 3D CAPTCHA would you like to create? Use your brains. There are several ways to make one. You could start with something rather simple. Think about the letter A, how would you draw it in 3D on a paper? Do the same thing with PHP.
Actually , I'm going to create a CAPTCHA like this.
Unfortunately I don't have enough information about creating 3D images, and how we can create a 3D letter in an image.
So , I've needed some references about 3D to learn before starting my project.
It is not simple. What you are asking is the same as "How to create PayPal?". There is no single answer, just lots of thinking, researching, coding, trials and errors as well as dilemmas. You may start by asking Alex about good resources where you could learn about this stuff. And ah, Alex is the site owner.

It is a lot of maths. If you are bad at maths, first start off by reading some math books... (hint: especially Geometry related)
User avatar
Mds
Forum Contributor
Posts: 110
Joined: Tue Apr 22, 2008 8:56 pm
Contact:

Re: How to : Using PHP Fusion 7 or PHPBB3 CAPTCHA

Post by Mds »

It is not simple. What you are asking is the same as "How to create PayPal?"
:lol: Well, I should start from somewhere.
It is a lot of maths. If you are bad at maths, first start off by reading some math books...
I'm average in maths. but I don't know how can I create a 3D shape in an image :lol:
You may start by asking Alex about good resources where you could learn about this stuff. And ah, Alex is the site owner.
Yes, Alex is the site owner and maybe he doesn't guide me :(
Post Reply