Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
useless captcha example
Posted by: raptor
Date: December 05, 2006 01:04PM

Ok. i like stupid bugs.
visit this: http://www.adgridwork.com/u.php?page=register
look at source code and find this:
<input type='hidden' id='captchavalue' value='XXXX'>

do i need to say more?

Options: ReplyQuote
Re: useless captcha example
Posted by: maluc
Date: December 05, 2006 04:38PM

lol.. quite useless. might work for a wordpress blog though.. in preventing spam spiders, still terrible coding practice

-maluc

Options: ReplyQuote
Re: useless captcha example
Posted by: rsnake
Date: December 05, 2006 04:59PM

It would only prevent it as long as someone didn't figure it out. Lots of spiders scrape the HTML for hidden values. That's terrible. Nice find!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: useless captcha example
Posted by: jungsonn
Date: December 05, 2006 08:24PM

some ugly pants!

He just has to put the code into a session to fix his issue.

Options: ReplyQuote
Re: useless captcha example
Posted by: digi7al64
Date: December 05, 2006 09:13PM

<img src='c/4.gif' /><img src='c/2.gif' /><img src='c/8.gif' /><img src='c/3.gif' /><img src='c/7.gif' />

It would appear that a session variable isn't going to help either.

However, in saying that if the hidden variable was incorrect or a mathematical equation of the original number then that would be cool as it would fool any spiders that read it.... Which come to think of i think rsnake might have blogged about (a blog that only accepts incorrect captcha's)

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

Options: ReplyQuote
Re: useless captcha example
Posted by: NIST.org
Date: December 05, 2006 10:56PM

Even running a crude algorithm on the "hidden" value would help. Anything to obfuscate it a bit. Because this isn't a password that needs to remain hidden simply multiply all the numbers together, do the same thing on the submission, and compare. Of course a hash value would be be even better. But spiders aren't human and can't easily make a determination of what is an easy target worth spending lots of time on and what isn't. So any simple formula would do (as long as this isn't a plug-in used elsewhere). Of course they could pay some kid in India 25 cents an hour to search the code and break the algorithm. But then again they could just pay the kid to read the captcha and type it in. Which of course they're already doing.

John

Options: ReplyQuote
Re: useless captcha example
Posted by: jungsonn
Date: December 06, 2006 06:36AM

"break the algorithm." ?

I mean when i write a CAPTCHA i base it on a random set of chars/numbers, undeterminable 'cause it's a pseudo random choice.

I then fixate the result into a session.
On the next page i check the session with the given value from the form.
if they are equal, then we've had a human who gave the correct anwser.

Simple.

Options: ReplyQuote
Re: useless captcha example
Posted by: NIST.org
Date: December 09, 2006 10:47AM

True, including the CAPTCHA value in the HTML in any format isn't necessary. But if you're going to do it (who knows why they dd it in this example) then at least scramble it a bit.

Options: ReplyQuote
Re: useless captcha example
Posted by: idosec
Date: December 10, 2006 07:48AM

what about using a "hnoeypot" hidden input in the form,
you would then know "who" are the robot (ip,fake user agent and so on...)
i don't know what "bad behavior" (wordpress plugin) does,
but we could then track these spam spider and block them?
or is it naive?

Options: ReplyQuote
Re: useless captcha example
Posted by: rsnake
Date: December 10, 2006 09:38PM

I'm not sure I follow. If it's a hidden value it will always be passed by everyone all the time. Did you mean to continue to put the hidden value in and see if they don't enter a different CAPTCHA value in it? That would be no different than just not putting the CAPTCHA value in it at all, which you can also block on, inherently.

Or am I missing something?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: useless captcha example
Posted by: idosec
Date: December 11, 2006 04:28AM

sorry, i did not make myself clear.
i m not suggesting how to make the captcha safe with an hidden field.

Providing the fact, intelligent spider will read an hidden value named "captcha", what about a honeypot.
We woudl not use the hidden value to validate the captcha, but if the value submitted by a spider,robot, human, whatever, equal the hidden field value, we can male the assumption this "submit" is "evil".

Briefly : give the bot a fake mean to break the captcha and use that to know they are evil.

Then, we could redirected the bot to whatever site we want, or perhaps better profile it to see what it tries to pretend it is : ip,user agent...etc...to get a blacklist of those robot.

or is it naive?

Options: ReplyQuote
Re: useless captcha example
Posted by: rsnake
Date: December 11, 2006 10:21AM

If there is a value in the hidden form field it will _always_ get submitted by every normal user (and robot alike) as that hidden value. So what you're saying is if the hidden value gets submitted and it matches what is in the CAPTCHA raise a flag (since they shouldn't). That would work, but I don't think it would do much to stop the bad guys, because if you blocked on that data they would just stop doing it. The only way they would ever know that the CAPTCHA data was in a hidden form field would be to manually review it and if they noticed that it was no longer working suddenly they would just need to look at it and see that the value no longer matched. There would be no difference between that and just removing it all together.

Likewise if the bad guy had never used the site before and just went there for the first time after you had fixed it they wouldn't be deterred any more or any less than if it were never there, since they would have never seen it as a valid value.

For logging purposes it may be interested, but I don't think you'll have any trouble detecting which robots are robots once you start seeing the viagra spam show up on your site. ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: useless captcha example
Posted by: maluc
Date: December 12, 2006 01:55AM

you could though, make a second form in a hidden div .. that mimics the comments form - just to a different form-processor. Anyone who submits that is a bot or nosey person.. either way, add em to a fu.ckers list. Obviously, if wordpress added this in to every users copy .. spam bots will be updated the same day. So, just a personal solution.

-maluc

Options: ReplyQuote


Sorry, only registered users may post in this forum.