Alternating Sequential User Input Challenge - ASUIC

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

He was probably thinking it would force the user to actually load the form and send the hash along with it's message to post, but that can obviously be scripted very easily. What was wrong with the idea of asking the user to check a couple checkboxes, it takes less then a second and as long as you have the most rudimentary understanding of the English language it poses no difficulty to the user
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

I am actually giving a one time token to the whole process. Kind of hard for a script to overcome. It might be possible but it takes a lot of knowledge to overcome the hashing and the token.

This sure was a very simple description. You can add some more layers to it. e.g. Your form page creates different kinds of tokens for users directly coming to the form page and for users coming form somewhere of your site. There are a lot of things you can do to determine if a script is trying to get in. They all run in the background and the script spammer is not aware of them. If he can't get in easily he goes to other sites.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

jshpro2 wrote:He was probably thinking it would force the user to actually load the form and send the hash along with it's message to post, but that can obviously be scripted very easily. What was wrong with the idea of asking the user to check a couple checkboxes, it takes less then a second and as long as you have the most rudimentary understanding of the English language it poses no difficulty to the user
Whats the difficulty for a script to try every combination of the checkboxes?

Whats the solution for international users? (not even thinking of Russian and Chineese)

Do you really think the people like to take a questionaire every time they post a single comment? Yes captcha is as much of an annoyance.
Groone
Forum Newbie
Posts: 13
Joined: Mon Jan 30, 2006 6:30 am
Location: Mobile, Alabama USA
Contact:

Post by Groone »

Jcart wrote:Not that you've asked, but don't push anyone to try, as it violates US law if they do...
How so?

jshpro2 wrote: Take our advise or leave it, its your application
Sorry, I'm not a lamb and have no reason to follow your advice.

jshpro2 wrote:He was probably thinking it would force the user to actually load the form and send the hash along with it's message to post, but that can obviously be scripted very easily. What was wrong with the idea of asking the user to check a couple checkboxes, it takes less then a second and as long as you have the most rudimentary understanding of the English language it poses no difficulty to the user
I do like the idea about the check boxes and will work on that as an alternative security challenge too. Should be real easy to implement.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Groone wrote:Sorry, I'm not a lamb and have no reason to follow your advice.
No you one said you had to follow anyone's advice, you ASKED for it, so asking us to prove it would be rude.. you instead of doubting it could have asked us to explain why we came to that conclusion

EDIT
Not that I doubt it, but I would like to see it spammed in action.
ok maybe I got carried away.. you didn't doubt us but regardless, it is very easily scripted, all I have to do is load a couple pages so I get an idea of the different patterns it's using, write a regex to grab the pattern and check it against the in-tact version of your sequence, find the difference of the strings to give me the missing letter, then send it along with the message I want spammed

AGISB wrote:I am actually giving a one time token to the whole process. Kind of hard for a script to overcome.
Not really, it just forces the spam script to request the page that would contain the token, match it against an extremely simple regex, and then send that token along with it's request

As for the checkboxes, its a simplified example.. increasing the number of checkbox's to 16 (and placing numbers on them so they are easily identified) would allow as we know from binary a total of 16^2 answers, or a 1:256 chance of guessing it.. give the user 10 tries to guess it before they get locked out and you are good, i know some OCRs have a higher success rate than 1:256 for a traditional captcha image. As for the english language problem, how does that not apply to a traditional captcha in the sense of the words "please enter the code below" need to be translated... some foreign keyboards might not even have an english character on them.

Another play on the context idea would be to have the captcha image contain the instructions on entering the code, the image would contain the text "please enter the code 2342adsf into the box", "type l32lh235 into the box", etc...

Personally as a user I would rather check a 2-3 boxes then have to sit there and decipher a bunch of codes with a ton of noise in the image, which also forces me to find each key if I do not touch type (I would guess most users do not touch type, and feel more comfortable using their mouse or other pointing device)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

some foreign keyboards might not even have an english character on them.
The vast majority of web-browsers have an address bar of some kind. And since IDN (international domain names) is rather an exception than a rule, it's quite safe to assume that users have some method to input ASCII characters. Indeed, having the ascii keyboard is, may I say so, mandatory to use the web.

Being the native Russian speaker and living in Ukraine I can assure you that here in Ukraine and Russia every computer keyboard on sell is capable to produce ASCII characters and very seldom its keys aren't marked with both the cyrillic and latin symbols. And all the systems I worked with in the last 10 years were able to use QWERTY keyboard layout (this includes all versions of Windows, even localized ones [Russian, Arabic, Chinese etc], every Linux distros I had, flavors of BDS and so on).
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

The ascii character thing was just speculation, you still run into the instructions having to be in English, despite the fact the captcha is intuitive to most users nowadays you should always support the extra instructions in all the languages you are supporting. Is it safe to say that we have come to the following concensus?

"There is no foolproof method of stopping spam bots and supporting your users at the same time, a balance needs to be decided upon that suites the webmasters needs"

This issue could lead to an interesting debate.. What if you had to "sign in" to the internet? It would be something the ISPs could definitely enforce and it would vastly reduce spammer's anonymity, but is it an invasion of privacy?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Interesting question - how do corporate/government websites pull this all off (if any require anti-spam measures). Not entirely certain but isn't there some accessibility requirements these days in the US that parallel the WCAG standard?
In my opinion this is a poor idea, you're complicating the process for the user and this is easily scripted.. just using an old fashioned captcha would be better than this in terms of stopping bots.
And that doesn't complicate matters for users? I run a small php game development project - we have two users with visual impairments. I can see their reaction the day I enable CAPTCHA protection against a script bot... Image based verification sucks. EOF.

Some form of text/html logic test should in theory be as capable as CAPTCHAs (which are themselves scriptable) and not block valid users. Question is how random that logic can be made to make it unpredictable and less vulnerable to scripting? Not sure myself - but see the first line. I'll check google later myself since I'm curious.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Not as much as sitting there figuring out a sequence. At least with traditional captcha people know the deal, just type the string in the box.
Maugrim_The_Reaper wrote:And that doesn't complicate matters for users
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Fact: Captcha has been scripted

I don't understand a logic behind defending a beaten technique that logs out a certain group and forces a lot of legitimate users away because they are annoyed.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

[quote=jshpro2]At least with traditional captcha people know the deal, just type the string in the box.[/quote]

Quite true - all people. Which is why a certain percentage will simply grimace, curse the developer who ruined their access to the site, and find somewhere that's figured out that its hard for blind people to read images...;) That's the point I was making, and I believe it may even be illegal in some countries...or at least so for a certain class of websites. In the last year I've disabled CAPTCHAs where they were default on several applications from Serendipity to the Mantis bug tracker when installed and others simply because it blocks some users from involvement in a project I run.

The whole point here also is that your arguments equally apply to CAPTCHA. The only solid verification is one that proves the presence of a living human in the loop. Simple image reading doesn't help with that anymore - the spammers and other programmers have had years to work at it. Logic (in some format) just might.

Unless spammers start hiring cheap overseas labour to manually spam everyone...ugh.
Groone
Forum Newbie
Posts: 13
Joined: Mon Jan 30, 2006 6:30 am
Location: Mobile, Alabama USA
Contact:

Post by Groone »

Here is a saying that was placed on all my sites by a spammer

"Recpect WEB-master!"

Do a google search and check it out. It has to be a group of people because no one can do that much. It's on over 20,000 google pages. Crazy

I finished the checkbox algorithm, but I accidently left it at work. I think it might actually work. At first I had the check boxes in sequence and the random number was in sequence. There were a possibility of 9 numbers. A random number generator would select 4 of those number, never to duplicate a number. A question would be posed for the person to "Please check the first box; please check the fourth box; please check the fifth box, and finally please check the eighth box."

Clicking submit would verify the numbers being checked. I used an array of check boxes name="b[]"

I found that it was pretty easy to check the boxes, but a bit difficult for a script. I then decided that it was still too easy so instead of numbering the check boxes in sequence I randomized it. This added to the complexity of the challenge, but didn't really make it any harder for the user. I'll show the code on Monday when I get back to work if I dont forget.

I also wrote a script to store the guestbook messages and wait for approval. This was easy and I believe using this with the script described above will be my preferred means of challenging bots and users from spam.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

<rant on>
Logic tests... yeah, great. It's like you say to user "We would rather prefer intellegent bot over the unintellegent human". You care about blind, you care about deaf... but do you care about stupid? You know, stupid people exists. You've seen them more than once. And they have the right to access your site. What about them?
</rant off>
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Weirdan wrote:<rant on>
Logic tests... yeah, great. It's like you say to user "We would rather prefer intellegent bot over the unintellegent human". You care about blind, you care about deaf... but do you care about stupid? You know, stupid people exists. You've seen them more than once. And they have the right to access your site. What about them?
</rant off>
You mean people that can't spell/use grammar correctly? :)

Its an imperfect solution, I agree. My personal preference is always delayed posting with moderation. That way a human is always to blame. :)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Roja wrote: You mean people that can't spell/use grammar correctly? :)
I will make a request for spellchecker mod :D. Btw, was that plural vs singular issue? I'm a little slow today, just 34.6 Kbps :)
Post Reply