Hackers of India

CAPTCHAs for fun and Profit

By  Gursev Singh Kalra  on 15 Feb 2012 @ Nullcon

Abstract

CAPTCHAs are a potent mechanism to prevent web applications against the ravaging bots and appear to be omnipresent across the World Wide Web. To analyze the strength of CAPTHA deployments on the internet, a research spanning hundreds of high traffic websites and several CAPTCHA service providers was conducted. The research looked at CAPTCHA image design, CAPTCHA implementation and Verification mechanisms. During the research, several interesting implementation flaws and attacks were identified that will be discussed during the presentation. Some of these flaws/attacks include CAPTCHA fixation, CAPTCHA Rainbow Tables, In-Session CAPTCHA Bruteforcing, OCR Assisted CAPTCHA Bruteforcing, Chosen CAPTCHA Text Attack, CAPTCHA Accumulation etc… It was also observed that an alarming number of visual CAPTCHAs (image designs) could be broken by combination of good image preprocessing and Optical Character Recognition (OCR) engines. TesserCap was thus written to test CAP THA designs based upon these observations. TesserCap is a GUI based, highly flexible and first of its kind CAPTCHA analysis tool. TesserCap retrieves CAPTCHAs from the target website and solves those locally. Each CAPTCHA is subjected to TesserCap’s 8 stage image preprocessing module and the OCR engine. The image preprocessing algorithms work around color complexities, spatial irregularities, and other types of random noise that deve10Ders introduce into the CAPTCHAs to achieve higher detection rates.