Published 19 years ago • Last updated March 22, 2025 • ⏱️ 2 min read
I've spent a lot of research over the last few weeks trying to create a different type of captcha. The basic idea is to try and produce one without images and try to make it as accessible as possible. I started off with a checkbox idea which allowed you to choose different fruits, this was easily broken by the clever guys over at sla.ckers.org forum (Trev, kuza55), so I took the useful info I gathered from their techniques in breaking this simple captcha and started to create a new one.
The new captcha uses code from my Keypress authorisation technique and the basic idea is you hold keys down for a number of seconds, this makes it difficult for an attacker to reproduce the key presses with executing the javascript. Of course the attacker could just scan the source code to gather the correct key presses, this is were my next technique comes into play, random javascript code is created which is stored by the server which is then compared against the client version, then the combination is hashed using md5 and then sent to the server.
I've had some great feedback on my captcha, WhiteAcid from the Slackers forum in particular has been very helpful in highlighting the problems with javascript protection. I plan to update my captcha soon so watch this space...
My question is, can it be automated? .....
It turns out yes it can via javascript, although server side it would be more difficult.
I've decided to release the source code for my captcha, I'm currently working on timing based protection so the will be another update shortly. If anyone wishes to contribute to the development, please let me know and I will be happy to include your code and credits.