Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP CAPTCHA The Image We All Love To Hate Shay Zalalichin and Avi Douglen Comsec Consulting Israel 2008 September 14

2 OWASP 2 Introduction  Completely Automated Public Turing Test to Tell Computers and Humans Apart

3 OWASP 3 CAPTCHA Techniques Background  Colors  Patterns  Distortion  Warping  Perturbation  Lines Text  Non-Alpha  Fonts  Sizes  Crowding  Deformation  Rotation

4 OWASP 4 Common Uses  Account Registration  Blog Comments  Contact Us Forms  Data Enumeration  Online Polls  Search Engine Bots  Worms  Authentication Mechanism  CSRF

5 OWASP 5 Implementation Attacks – Example captcha_image.php?x=-8&y=20&l=12 (x + 12, y – 17) - Mike Spindel and Scott Torborg, DEFCON 16, CAPTCHAs Are they hopeless

6 OWASP 6 Implementation Attacks – More Example  Solution as part of Image Id  Static Solution per Image Id  Multiple Solution Attempts on Single Image  Small number of repeated images / Limited solution space  Dataflow Bypass

7 OWASP 7 Attacks – Automatic Recognition  Optical Character Recognition (OCR)  Preprocessing  Segmentation  Classification  Success Rates  20% success for Gmail  30-35% success for Hotmail  60-90% success for most others…  Speech-to-Text

8 OWASP 8 - Mike Spindel and Scott Torborg, DEFCON 16, CAPTCHAs Are they hopeless

9 OWASP 9 - Mike Spindel and Scott Torborg, DEFCON 16, CAPTCHAs Are they hopeless

10 OWASP 10

11 OWASP 11 Other Approaches

12 OWASP 12

13 OWASP 13

14 OWASP 14 Attacks using the Human Factor  CAPTCHA Proxies  Pornography sites  Games  Etc.  CAPTCHA Farms  Cheap Workers  Indian / Romanian / Far East / …  Between 2$ - 4$ per 1000 CAPTCHAs

15 OWASP 15 - Jeremiah Grossman, Blackhat 2008, Get Rich or Die Trying

16 OWASP 16

17 OWASP 17 Conclusion  CAPTCHA doesn’t work  What it does do, does badly  And it’s broken, besides…  Bad solution for the wrong problem  In the meantime: Don’t use CAPTCHA for sensitive resources


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google