Skip to main content

Form Submission using CAPTCHA

“Completely Automated Public Turing test to tell Computers and Humans Apart” in short CAPTCHA. Before I could start, I know there are people who are expert in Captcha, there are people who may be newbie and some may be intermediate. I will try my best to put some sound information on this topic which could be useful for different levels.

Now, why we need to separate Human and Computer when both are working on some interface to achieve something together. Yes it is required, because there have been continuous challenges in saving and posting the non-redundant data on internet safely. For the companies who provide the free email accounts, could be a victim of bots (bots are normally web robots, usually a program/script which runs on regular interval), that will create thousands of free email accounts if the User Registration Form has not been handled properly.

There are hackers and/or unauthorized users who will run some automated scripts and try to use the form data for their purpose. They not only read the data and manipulate them but also they could save the information for future proposes. There are instances where the automated programs (published by bots) could use the form data and send unsolicited spans to the number or users.  The best solution for blocking these kinds of attacks would be going with CAPTCHA.

CAPTCHA could be used to restrict these kinds of attacks. If I want to make some points about the CAPTCHA, I would say the following:
  • It could be used to prevent automated mass registration of accounts to online mail sites, forums, and blogs and even for polling sites or auction sites.
  • There may be some mechanism available using HTML tag to prevent Search Engine bots to restrict the page access. But it will still be open for bots to be able to go inside the site and do whatever they want to do. It provides an effective mechanism to hide your email address from Web scrapers.
  • Usually, bots find difficulty in analysing and decoding the captcha keys. So they will not be able to submit the form without passing captcha validation.
  •  The idea is to provide users to validate the CAPTCHA before submitting the form.


CAPTCHA Advantages:
  • CAPTCHA protects against any bots or brute force or misuse of information.
  • It helps in avoiding automatic form submissions.
  • CAPTCHA could be used to prevent attacks on Registration, Feedback/Rating Survey, Ticket booking system, any Appointment booking etc.
  • Protecting Email Addresses from Scrapers. There are spammers who will be crawling the Web continuously in the search of email address. If Captcha has been implemented it will be very difficult for the bots to bypass the validation and submit the form.
  • It helps in preventing Comment Spam in Blogs. These abusive scripts could be continuously submitting some unnecessary comments. It could be used for raising the ranks of the blog in the search engines.
  • By using a CAPTCHA, only humans can enter comments on a blog (as they have to pass the captcha validation).
  • CAPTCHAs could be used to prevent the attacker for locking the account by providing wrong password or scanning through the system to get the correct password. It could be implemented to validate the CAPTCHA for certain number of times of unsuccessful logins.

Best Practices:
  • Right Combinations: Use combination of images, texts and numbers with distorted display.
  • Images: Write the script which will generate the images which are complex enough to be deciphered but good enough to be read by the human irrespective of age, language of gender.
  • Avoid Complex Design: Make it simple and soothing. It is useless to have complex design for captcha which are difficult for users.
  • Say No to Dictionary Word: Do not use scripts which will generate the texts based on dictionary. Use some algorithm which will generate random strings. It is easier for human to identify a distorted word compare to recognize individual distorted characters. The drawback of using the dictionary word scheme in CAPTCHA is the vulnerability to dictionary attack.
  • Avoid Complex Background Design: Using colour and complex background pattern are proven to be ineffective since it can reduce the usability without any significant security level improvement.
  • Restrict Offensive CAPTCHA: The other factor in CAPTCHA content related to usability issues is the usage of offensive words. Every offensive word that generated automatically by CAPTCHA has a negative effect in user’s satisfaction and eventually will reduce the usability. The best solution to overcome this problem is by keep maintaining the list of words which are considered as offensive or abusive and prevent it from being generated by CAPTCHA.
  • Don't Create your own CAPTCHA: There are so many proven plug-ins and jars are available on internet developed by major companies. I personally feel reusing those Captcha scripts rather than developing my own. It will be difficult to understand all the scenarios.  They are up and running with all the possible cases covered.
  • Script Security: Building a secure CAPTCHA code is not easy. In addition to making the images unreadable by computers, the system should ensure that there are no easy ways around it at the script level.
  • Popularity: Now a day’s Captcha is being used by many famous Web Sites. Some of them are: 
    • Google
    • Yahoo
    • Hotmal
    • Paypal etc.

Code Example:

For Step by Step Code Implementation of Captcha, Please follow the ROSE INDIA Site.


Labels:

Comments

Post a Comment

Popular posts from this blog

Know your Repository Statistics

Being in software development, everyone of us must be using some or the other repository to save our work( popularly know as check-in check-out :) ). Recently while working on one of my project I thought of finding out the statistics of our project repository for some management reports. While there are so many tools available in the market to explore the stats, I chose to go with Tortoise SVN tool with some plugins. Following are other tools that can be very useful based on scenarios: -Commit Monitor -Winmerge -Visual SVN -SVN Monitor -CM Synergy from Telelogic -Many more are there If you are using Tortoise SVN and want to know the details(for example : no of java classes checked-in, lines of codes written, developers name, total code base details and many more ) about your repository You can use the following steps to find the details: 1-check if the SVN has been installed and working properly or not by using following command: C:\>svn help It will output something ...
Post a Comment
Read more

Testing your Webservice Applications using SOAP UI

SOAP UI is a standard desktop application for testing the Web Services projects. It provides full support for debugging, developing and testing of your web services applications. The tool support data driven development and also provides platform for creating test suites where you can create services for regression testing. For example if you want to test the complete flow of your SOA application, you can create Test Suites using SOAP UI and can perform end to end testing of your applications. The test suits can be configured to run in multiple environments (dev, sit, uat or production). Okay, let’s start the working on SOAPUI. I will show you the simple webservice testing that I developed in my last blog. Prerequisites: -You have developed your webservices -Webservice is ready and running on your local server -Installed SOAP UI tool Step-1 Download the SOAPUI tool Step-2 Open the soap UI Tool Setp-3 Right click on the project and choose New SOAP Pro...
Post a Comment
Read more

Web Services for Java Developers

Hello All and Welcome back. Today, we will take some time to discuss on Web services implementations. When ever we hit the Google button to search the Web Services implementation, we find many flavours of web services available on internet. Sometimes it becomes difficult to decide which implementation should we follow. There are bunch of services already present in the market which have gained so much popularity in terms of simplicity and their clear implementation.  To deploy a successful Java based web service project, it needs end to end knowledge of the technology and the artifices that are used behind the scene to make your software run without any heck. When I started working on SOAP based service I had very minimal knowledge on the supporting specification and standards that are required for consume/expose the service. I have worked on both SOAP based Service as well as Restful service.  In my up-coming blogs, I will be posting my understanding on implementati...
Post a Comment
Read more