Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How robots and spiders are causing issues, how to stop them. We can also talk about Completely Automated Public Turing Test To Tell Computers And Humans Apart - their use, their compliance issues, porn proxies, PWNtcha and other ways to defeat them. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Sliceya CAPTCHA
Posted by: Gareth Heyes
Date: January 15, 2009 08:13AM

Yep me again. I don't give up this CAPTCHA stuff. Here is another attempt:-

http://www.thespanner.co.uk/2009/01/15/sliceya-captcha/

Any comments or suggestions appreciated thanks

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Sliceya CAPTCHA
Posted by: wireghoul
Date: January 15, 2009 10:36PM

A few possible attacks... some are better than others...

1) Brute force guess at the an element in the keywords array
You have 1/x chance of success. With 6 keywords in your example that gives an attacker a 16.66666% chance of success with brute force alone.

1.a) Educated guess at keyword based on the length specified in the hint

2) Reverse the algorithm
You image urls contain a md5 string...cracking this will let you verify which keyword is used.

3) Supply your own keyword
We have a winrar!
Step1.. Load up http://www.businessinfo.co.uk/labs/sliceya/sliceya.php?keywords=Bart%20Simpson,Homer%20Simpson,Marge%20Simpson,Lisa%20Simpson,Maggie%20Simpson,Sideshowbob
Step2.. Click in the address bar and enter http://www.businessinfo.co.uk/labs/sliceya/sliceya.php?keywords=a
Now you can use the md5sums of the image slices to work out the order and enter A as a keyword automagically.


On the whole it is probably easier to crack than your average captcha due to the limits in sensible keywords. It also happens to be harder to use, you are depending on the hint to solve the captcha. When I entered a,b,c,d,e as keywords it gave me the D&G logo as an image. Most people would not guess d based on that image and hint alone. My first thought for the Bart Simpson image was "crime scene" so I would have failed if I was presented with just the image.

[www.justanotherhacker.com]



Edited 1 time(s). Last edit at 01/15/2009 10:38PM by wireghoul.

Options: ReplyQuote
Re: Sliceya CAPTCHA
Posted by: Gareth Heyes
Date: January 16, 2009 03:16AM

@wireghoul

Thanks for testing. Point 3 isn't really relevant because the CAPTCHA won't be providing the option for a user to enter keywords, I did that to show how the web crawling worked.

The idea would be to have a large selection of images and the attacker wouldn't know the keywords used.

I plan to remove the hint and accept any word of the answer, the slices could also be randomly sliced instead of the image center.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Sliceya CAPTCHA
Posted by: wireghoul
Date: January 16, 2009 04:20PM

In that case, might I suggest that you run it with logging so you can see what kinda of answers you get from submissions. Like they say a picture is worth a thousand words, so picking the right one might be hard.

Cheers.

[www.justanotherhacker.com]

Options: ReplyQuote
Re: Sliceya CAPTCHA
Posted by: Spyware
Date: March 04, 2009 06:51PM

It's a fairly trivial task to re-assemble the image using some fancy pixel counting on the borders of the image slices.

After the picture is restored someone could just search for the image using those "upload an image and we'll search for images just like it" search engines used by deviantart members to check who's ripping their work.

It would work a lot better if the database of images is private (read: unique).

Options: ReplyQuote
Re: Sliceya CAPTCHA
Posted by: Gareth Heyes
Date: March 05, 2009 02:48AM

@Spyware

Yeah good point, I was think about doing random slices at different sizes and positions to counter this. I can't really do anything about the uniqueness as I don't have the resources but if this was ever used the images would have to be unique.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Sliceya CAPTCHA
Posted by: Spyware
Date: March 05, 2009 02:34PM

Gareth Heyes Wrote:
-------------------------------------------------------
> @Spyware
>
> Yeah good point, I was think about doing random
> slices at different sizes and positions to counter
> this.

I don't think "random" (more complicated) slices will prevent computer programs from reconstructing the image. It's very, very basic math to rearrange the slices. 1px border scanning, then just check the borders against each other for length and/or colour.

Options: ReplyQuote
Re: Sliceya CAPTCHA
Posted by: Gareth Heyes
Date: March 05, 2009 03:14PM

Well I could add filters to individual slices and colourize them to make, along with different sizes and shapes

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.