Online since 2002. Over 3300 puzzles, 2600 worldwide members, and 270,000 messages.

TwistyPuzzles.com Forum

It is currently Thu Jul 24, 2014 8:05 am

All times are UTC - 5 hours



Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: How not to do a CAPTCHA
PostPosted: Thu Jul 14, 2011 8:50 am 
Offline
User avatar

Joined: Fri Feb 06, 2009 2:57 pm
Location: Pittsburgh
Code:
      answerDiv.innerHTML = '<legend>Anti-spam protection</legend>'
      + '<!-- Turing test using Gab Captcha 2 v1.0.14 (http://www.gabsoftware.com/products/scripts/gabcaptcha2/) -->'
      + '<p>Prove that you are Human by typing the emphasized characters:</p>'
      + '<label for="commentturing"><span class="gabcaptchai">V</span><span class="gabcaptchai">X</span><span class="gabcaptchai">C</span><span class="gabcaptchai">W</span><strong class="gabcaptchav">Z</strong><span class="gabcaptchai">W</span><strong class="gabcaptchav">A</strong><span class="gabcaptchai">R</span><span class="gabcaptchai">P</span><span class="gabcaptchai">S</span><span class="gabcaptchai">Z</span><span class="gabcaptchai">R</span><strong class="gabcaptchav">U</strong><span class="gabcaptchai">E</span><strong class="gabcaptchav">T</strong><span class="gabcaptchai">K</span></label>'
      + '<input type="text" id="commentturing" name="CommentTuring" maxlength="16" class="textField" /><br />'
      + '<input type="hidden" id="commentsecret" name="CommentSecret" value="ZDMwYjUzYTI3YTJjYzk4MjNkMDJlNGY4MWRjNmJjNzc=" />'
      + ''
      + '<br />'
      + '<a class="gabcaptchalc" title="Gab Captcha 2 v1.0.14" href="http://www.gabsoftware.com/products/scripts/gabcaptcha2/">Gab Captcha 2 &copy; GabSoftware</a>'
      + '';
      submitp.appendChild( answerDiv, commentField );
That's the code for the captcha on this page:
http://www.leonardofranca.com/index.php ... r-android/

The interesting part is this part:
Code:
<label for="commentturing"><span class="gabcaptchai">V</span><span class="gabcaptchai">X</span><span class="gabcaptchai">C</span><span class="gabcaptchai">W</span><strong class="gabcaptchav">Z</strong><span class="gabcaptchai">W</span><strong class="gabcaptchav">A</strong><span class="gabcaptchai">R</span><span class="gabcaptchai">P</span><span class="gabcaptchai">S</span><span class="gabcaptchai">Z</span><span class="gabcaptchai">R</span><strong class="gabcaptchav">U</strong><span class="gabcaptchai">E</span><strong class="gabcaptchav">T</strong><span class="gabcaptchai">K</span></label>'
Where you can see two different classes, gabcaptchai and gabcaptchav. You'll also see that all gabcaptchav classes are STRONG instead of span. The fact that it is two different classes means that with a bit of CSS trickery:
Code:
.gabcaptchai{ display:none !important;}
all that will be left is the characters that need typed in. If I wanted to make a bot that could do this, I could just use regex to get what I needed and JS to fill the field, then just use CSS to hide the whole box. I'm not strong in regex so I can't provide an example for that, but here are some screenshots.

Attachment:
File comment: How it looks to start
Captcha1.PNG
Captcha1.PNG [ 108.86 KiB | Viewed 534 times ]
Attachment:
File comment: How it look made trivial
Captcha2.PNG
Captcha2.PNG [ 109.16 KiB | Viewed 534 times ]


Any other laughably weak security features you've seen on websites?

_________________
3x3x3 PB: 00:48.10
"Study gravitation, it's a field with a lot of potential."
Image


Top
 Profile  
 
 Post subject: Re: How not to do a CAPTCHA
PostPosted: Thu Jul 14, 2011 10:32 am 
Offline
User avatar

Joined: Fri Feb 06, 2009 2:57 pm
Location: Pittsburgh
Actually, it should be possible with just javascript. D: I'm looking into it.

_________________
3x3x3 PB: 00:48.10
"Study gravitation, it's a field with a lot of potential."
Image


Top
 Profile  
 
 Post subject: Re: How not to do a CAPTCHA
PostPosted: Thu Jul 14, 2011 10:59 am 
Offline
User avatar

Joined: Fri Feb 08, 2008 1:47 am
Location: near Utrecht, Netherlands
Quote:
<input type="hidden" id="commentsecret" name="CommentSecret" value="ZDMwYjUzYTI3YTJjYzk4MjNkMDJlNGY4MWRjNmJjNzc=" />
The highlighted value is just the MD5 value of the secret in base 64. You can just undo the base64 encoding, and then look up the (unsalted!) MD5 hash using a table, given that the secrets are not too long.

Other than that and the fact that plaintext CAPTCHA's are not a good idea, it's way stronger than what we have on this site (just a single question, "How many sides does a rainbow cube have?" - that is strong enough because spammers don't take the time to look at each site individually, and if they do ever implement a regex thing or look up how many sides a rainbow cube has, the site owner can always switch to something different.

_________________
Tom's Shapeways Puzzle Shop - your order from my shop includes free stickers!
Tom's Puzzle Website


Buy my mass produced puzzles at Mefferts:
- 4x4x6 Cuboid for just $38
- Curvy Copter for just $18
- 3x4x5 Cuboid for just $34


Top
 Profile  
 
 Post subject: Re: How not to do a CAPTCHA
PostPosted: Thu Jul 14, 2011 11:01 am 
Offline
User avatar

Joined: Fri Feb 06, 2009 2:57 pm
Location: Pittsburgh
I've already grabbed just the elements needed, in order, to a variable in javascript. Now just to fill in the field with it. Another google! D:

Code:
var capChars = document.getElementsByClassName("gabcaptchav");
Okay, got it to have just the string of characters:
Code:
var CapChars = $$('.gabcaptchav').map(function(val,i) { return val.innerHTML; });
document.getElementById("commentturing").value = CapChars.join("");
That'll fill it in. This works in firebug for firefox, I'm not sure what the $$ translates to for pure javascript.

I got it in pure javascript. :D
Code:
var CapStr = [], CapChar = document.getElementsByClassName("gabcaptchav");
for(var i=0, im=CapChar.length; im>i; i++)
  CapStr.push(CapChar[i].innerHTML);

document.getElementById("commentturing").value = CapStr.join("");
Try it by going to the website and putting this in the url bar:
Code:
javascript:var CapStr = [], CapChar = document.getElementsByClassName("gabcaptchav"); for(var i=0, im=CapChar.length; im>i; i++)   CapStr.push(CapChar[i].innerHTML);  document.getElementById("commentturing").value = CapStr.join("");void(0);

If you have Greasemonkey and Stylish installed, you can make a userscript to autofill the captcha, and a userstyle to hide the box away. :D TAHDAH.

_________________
3x3x3 PB: 00:48.10
"Study gravitation, it's a field with a lot of potential."
Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Forum powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group