The Anti-Captcha Challenge
Recap: the problem with current Captcha solutions
The general purpose of Captcha's are to prevent the automation of form submission. For example, to protect a guestbook from filling up with spam-entries or to prevent hundreds of bogus users registering to a forum.
Until recently, image-based Captcha's have been a reasonable solution to combat this problem. However, with Object Character Recognition techniques getting better and better, Captcha's too have to continuously increase in complexity.
Just look at these gems and imagine yourself being color blind:
Ironically, it's come to the point that computers are better at deciphering Captcha's than humans are, simply because computers have infinite patience.
To illustrate: evildoers trying to beat your Captcha are probably satisfied with a success ratio of 1/100 – because in just a few hours of repetition this can add up to hundreds of successful passes. A typical human user on the other hand probably throws in the towel after three consecutive failed attempts – at which point they'll most likely leave your website altogether.
Who can blame them? The average user doesn't understand why they should enter a random string of letters in the first place. It's not their problem and they do not care what it is for. For them it's some sort of annoying puzzle that stands in the way of doing what they want to do. Not being able to pass it, makes them feel inadequate and frustrated.
I argue, let's keep the end-user entirely out of it,
I propose we rid ourselves of Captcha's as we know it,
I proclaim this the era of Anti-Captcha's... Hallelujah!
The Anti-Captcha challenge
The basic idea behind it is simple;
"Create a captcha solution which does not require any end-user interaction"
As a first attempt, I concocted a working Anti-Captcha based on the reasoning that only browsers can interpret javascript well. Making it a question of "Has a browser been involved at form submission?" instead of "Has a human been involved". In general the answer ends up to be equal (see "Caveats" section below).
How it works
Check out the online demo here
In the head of the html document an external javascript-file is called, this file is in fact a php file which is designed to:
- Generate a random token
- Store a checksum of this token in a cookie
- Generate some obfuscated javascript code which (when interpreted) adds a hidden input-field to every form element on the webpage using the token as a value
After form-submission, the checksum of the post value should equal the checksum stored in the cookie. As a bonus, this technique should also provide adequate protection against XSRF.
Installation
- Download Anti-Captcha
- Put both scripts in the head of your html document (in the proper order):
<head> <script src="anti-captcha-0.2.js.php" type="text/javascript"></script> </head>
- After form-submission match the input value with the sha1 checksum stored as a cookie:
<?php // Verify the token using the checksum stored in cookie if (sha1($_POST['anti-captcha-token']) == $_COOKIE['anti-captcha-crc']) { // Reset token (preventing form resubmission) setcookie ('anti-captcha-crc', sha1(rand()), time() + 3600, '/'); // Continue form validation die('Captcha accepted'); } else { // No Anti-Captcha checksum received die('Error, please enable javascript and/or cookies'); }
Looking for the WordPress plugin? Click here
Requirements
The Anti-Captcha script is written to be PHP4 compatible and should run on most hosting platforms. It has been tested and verified to work on most browsers, including the dreaded IE6. Note: the user does need to have javascript and cookies enabled for form submission to succeed.
Caveats
Obviously this technique isn't perfect, at some point bots might gain the ability to interpret javascript or simply read-out the obfuscated code instead. At that time a different approach, with a similar concept, would be needed.
It should also be possible to fool the Anti-Captcha with the use of “automated mouse-clicking software”. However this should be very hard to combine with botnets - thus making additional security layers (for example: maximizing form-submission on a per-ip basis) more feasible.
Another major drawback is the need for javascript to allow form-submissions, which is something you should ponder over yourself. Personally I feel it outweighs the disadvantages image-based Captcha's bring in, but this probably depends on the project at hand.
Credits
Part of the obfuscation technique used is based upon Dean Edwards JavaScript's Packer which is ported to PHP by Nicolas Martin, and made compatible with PHP4 by Mark Fabrizio Jr.
License
The Anti-Captcha is licensed under LGPL 2.1
The problem with current Captcha solutions
The general purpose of a Captcha is to prevent the automation of form submission. For example, to protect a guestbook from filling up with spam-entries or to prevent hundreds of bogus users registering to a forum.
Image based captcha's have been a reasonable solution to combat this problem. However, with Object Character Recognition techniques getting better and better, captcha's too have to continuously increase in complexity. Just look at these fine examples:
August 19th, 2009 - 10:48
Why wouldn’t you combine the two technologies? Show a capcha if someone doesn’t have javascript enabled (he’s probably used to being mistreated on the net as loads of websites only work with JS enabled), and use the above technique if JS is enabled.
BTW there are more capcha-like methods: I’ve seen a website where you’re being asked to click the biggest circle in an image. WE can all do this, a spambot needs to dig into language interpretation to know what the assignment is. Just a random thought.
August 19th, 2009 - 11:27
Basically you’re using a nonce (http://en.wikipedia.org/wiki/Cryptographic_nonce), but you’re injecting it into your form through javascript instead of just slapping it into your html which is more common practice. I’m sure it works quite nicely, but for me personally requiring javascript for form submissions is a bit too much …
On forms that attract a lot of automated submissions I sometimes add an empty input field and hide it from the users through CSS. When the form is submitted I check if the field is empty on the serverside. If not I reject the submission. It’s probably best to add a ‘please leave this field empty’ comment next to the input and give a descriptive error message when the form submission is rejected.
It sounds really stupid, but it’s quite effective!
August 19th, 2009 - 11:32
I like your idea! It’s simple but effective
August 19th, 2009 - 11:33
I think it`s a good idea these captcha`s drive me insane!
August 19th, 2009 - 11:35
@Josse @4rn0 It should be possible to combine a regular Captcha with the Anti-Captcha (making it a whole lot more complex). Tho, I wonder – who actually doesn’t use javascript? Google obviously, but they don’t need form submissions. In fact, the entire website could still be build with unobstructive javascript in mind.
Second, I agree that there are some excellent concepts out there to seperate humans from bots. However in my mind, that’s not the real question. Captcha’s are ment to prevent the automation of form submission, not to validate the submitted data itself. I.e. a spammer can crack any captcha by hand (including the anti-captcha), this can not be prevented. So I argue, let’s not bore the end-user with Captcha’s at all.
August 23rd, 2009 - 01:36
Comment spam is a tough nut to crack. You’re doing a very worthy project.
However, I’ve seen another Javascript based approach, WP Captcha Free,
http://wordpress.org/extend/plugins/wp-captcha-free/
How does it compare with your approach? Also on the plugin page, iDope the author discussed the comparison with WP-SPAM FREE, which is cookie based. http://wordpresssupplies.com/wordpress-plugins/captcha-free/
Well none of these are perfect, only one step ahead of the bots. If all the techniques are combine, we’ll be a few steps ahead.
What do you think?
August 30th, 2009 - 09:37
test with javascript enabled
if this show, than it works
August 30th, 2009 - 09:38
yes it works
i will use it now
August 30th, 2009 - 09:42
are anti capcha will work in mobile browser??
August 31st, 2009 - 12:11
@ibnux Good question, if the mobile browser supports javascript and cookies it should work. Try it out and let us know!
August 31st, 2009 - 19:22
@Jiwei Wang By the looks of it, the “WP Captcha-Free” is quite similar in idea and technique. Some difference with the anti-captcha plugin: it labels rejected comments instantly as spam instead of removing it, additionally it also protects the login/register/password-lost forms of your blog and with the use of obfuscated javascript it’s more difficult for spammers to automatically read-out the javascript and insert the hash themselves. Finally I find it strange that iDope uses a completely different (visible) captcha on his own blog, why is that?
September 1st, 2009 - 21:30
Let me answer that. I also wrote the Clickcha plugin I use there and it got the space since its the newer one.
BTW, do check out Clickcha ( http://clickcha.com ). Its new kind of Captcha.
September 1st, 2009 - 21:40
One more thing, WP Captcha-Free doesn’t need obfuscated javascript as the hash is never stored in the script. It gets the hash from the server (using ajax) only when the comment is posted and it expires soon after.
Of course this assumes that bots cannot execute JS. If they can run JS, obfuscation is not going to make any difference.
September 2nd, 2009 - 14:15
@iDope thanks for the clarification
Just for the sake of argument, wouldn’t it then be theoretically possible for a spammer to simply request the hash from server (using curl or wget) and then insert it the same way you do? No javascript required.
PS. I do like the idea and simplicity of Clickcha. However since it also requires javascript, I prefer an invisible technique like WP Captcha-Free or my own Anti-Captcha.
September 2nd, 2009 - 17:49
You are right, that is a weakness (although it is slightly mitigated since the hash is unique for the IP, post, etc. and expires shortly after). The problem with anti-spam techniques that don’t require human input is that the moment the spammer starts specifically targeting the technique, you are toast. You make it harder for the spammers by constantly changing things around but thats about it.
Clickcha doesn’t really require Javascript. Its just its current implementation as the WordPress plugin uses JS for some optimization (loading Clickcha only when needed).
September 2nd, 2009 - 18:05
How you actually salt the hash (IP, timestamp etc) doesn’t matter if you’re allowing the spammer to just ask for the end-result from the server. Solely for that reason Anti-Captcha outputs randomly generated and obfuscated javascript code to ensure that the bot actually HAS to interpret javascript. This makes it that much harder to crack, albeit not impossible.
You’re right though – as soon as they start to target your technique you’re practically toast. In my opinion not Clickcha nor any other captcha technique is safe from this. Just look at how difficult image-captcha’s have become.
With Anti-Captcha i’m trying to make a captcha solution which obviously works but is also user-friendly. You probably agree that all three of our solutions have that same intent. We do have the same goal – only with a slightly different approach.
September 11th, 2009 - 00:25
The online demo complains with “Error, please enable javascript”. But I do have javascript enabled!
September 15th, 2009 - 09:32
@Senthil Nathan What browser (+version) are you using? Your comment here also ended up as being spam. Are you sure javascript is enabled? Is it possible that you’re blocking cookies?
September 23rd, 2009 - 01:42
How about you generate a field and field label. The label says what to type in the field. For instance: Enter the number 1 in field. Script compares field value with what script put in label.
September 23rd, 2009 - 11:39
@David What you propose has been done numerous times before. In my view it’s not very user-friendly because you’re distracting your visitors from what they want to do (i.e. buy an item or contact you for more information). It therefor doesn’t comply with the basic idea behind this post “Create a captcha solution which does not require any end-user interaction”. Furthermore, it’s also much easier to foil.
November 2nd, 2009 - 07:30
Testing from mobile iPhone
November 10th, 2009 - 21:55
I tried it with Internet Explorer 8 (64 bit version) and it returned the “Error, please enable javascript” message.
Javascript is definitely on, so it seems like a bug.
November 11th, 2009 - 14:58
@IE8user Is it possible that you blocked the cookie? In my IE8 it works. Maybe the error message needs adjustments.
December 27th, 2009 - 14:34
yay team. Test with js on
December 27th, 2009 - 14:38
just a note: Using NoScript on FF 3.5.6/Mac. When fili.nl is ‘blocked’ the comment fails but no message is displayed to enable javascript.
Good work though. Installed the wp plugin – some botnet has been hitting my blog with hundreds of spam messages since Christmas eve.
Mike
January 23rd, 2010 - 18:34
Best anti-captcha module is used on JDownloader software to get rid of captchas on rapidshare, megaupload, hotfile like file-hoster web sites.
It is working very well but I could not find anti-captcha’s home page yet, if I find it I am planning to use it in my software to skip captcha problems!
March 16th, 2010 - 00:10
the problem is, you can write a spamming bot which is using your browser so…
May 25th, 2010 - 16:16
nice job thanks
September 2nd, 2010 - 07:44
really good job.. nice man,…