Hardening Captcha security

Question

Nearly all websites use CAPTCHA images to protect their forms from spam. But is this the most secure way? As far as i understand, the idea of CAPTCHA is to challenge the user with an image containing some "hard-to-recognize" text so that if the visitor is a human being (not a bot) he/she will be able to post data but not machines. The website sends the captcha code (image) and a session variable containing perhaps a hashed version of the captcha image (the correct answer but hashed). The user submits the form and the server has to make sure that the hash of the letters he/she typed = the hash contained in the session variable. Fine, what if i (the spammer) wrote a piece of software that mimics that same request and sends it to the server? in other words, if the captcha is abc123 and the hash (in the session variable which can be read with any HTTP sniffer) is xyz345 (consider this a 32 character string) and i sent this data to the server in a post request? Then i start to be more creative, i put this code in a 10,000 loop that will overwhelm the server with spam data! Now is CAPTCHA that secure? are their any options by which i can face such a threat? Thanks

Answer 1

Your assumptions are wrong: Neither can the session data be read by the client nor are Captchas meant to mitigate DOS attacks.

A Captcha is a challenge/response technique where the server issues the client a challenge that is meant to be only solvable by a human. An optical character recognition (OCR) challenge that most of the Captchas present is just one variant but certainly a good one as OCR is easier for most literate humans but pose a problem for computers.

But any Captcha is worthless if the response to the challenge is easy to guess, to derive, or to obtain otherwise. Sending the expected response in plain or in a derived form in a hidden form field is such an example. Having the response passed to the Captcha image as a parameter is another example.

That’s why the expected response should stay at the server side, as a session datum, that is not readable by the client as only the session’s identifier is transmitted.

Your second concern, that Captchas can’t prevent DOS attacks, is true. Again, that’s not the reason Captchas were supposed to solve. Captchas were invented to “tell computers and humans apart” and nothing else. They can only help to prevent automated spamming to succeed. But frankly, intense challenge/response generation is rather likely to lead to DOS.

Answer 2

Captcha is not a way to prevent stealing session cookies. If you want secure sessions use e.g. HTTPS.

Captcha does not prevent (D)DOS attacks, if you want your server to be save against 10.000 spam requests per second, put countermeasures against that.

The only purpose of a captcha is to decide whether a request comes from a human being or a machine. That shall prevent automated scripts that create accounts and such but you still have to secure your website including the security of the captcha by other means. A server that exposes the answer of a captcha or lets the user decide which captcha to solve is doing it wrong.

The ideal captcha would be trivial to solve for every human but impossible to solve for every machine. So it should not be a challenge for the user. Machines are unfortunately pretty good so you have to raise the challenge and that makes it hard for us too.