Codetcha

Monday, 17 March 2008

I’ve sat on the concept for a long time and it has had many names but I’ve got a bit of free time now so I decided to create a proof of concept. It isn’t perfect yet and there may be false positives due to a few bugs but if you read my blog you know I like to release code early πŸ™‚

So what is it I hear you ask? Well Codetcha is CAPTCHA but not in the traditional sense, it purposely creates code bugs and uses the developers debugging skills to determine if he/she is human or not. In the first version I’ve used Javascript as the error prone code and a PHP mirror behind the scenes to get the relevant value. However any programming language could be used, I decided on Javascript because you can use the native debugging in the browser to help you pass the test.

It’s worth noting that this sort of system couldn’t be used on a non-technical forum or blog because it assumes knowledge of a programming language but it could be used on technical blogs and forums.

Update…

Fixed more bugs, reduced the settings slightly. I’ll release the source code soon once I’ve refined it a bit more.

Update again…

I’ve fixed many bugs, reduced the code by 50% and improved the replace algorithm.

Codetcha demo

The entry 'Codetcha' was posted on March 17th, 2008 at 11:43 am and last modified on March 18th, 2008 at 11:36 am, and is filed under captcha, php, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

15 Responses to “Codetcha”

  1. gianni writes:
    No. 1 — March 17th, 2008 at 1:36 pm

    You are insane πŸ™‚

    Anyway, I figured it out, but I did this without understanding really well what I was supposed to do.

    You should give more instruction on the codetcha page itself.

  2. Gareth Heyes writes:
    No. 2 — March 17th, 2008 at 1:57 pm

    @gianni

    I tried to make it as simple as possible, I’ll maybe look into making a bit easy to understand πŸ˜›

    Glad you figured it out though πŸ™‚ It still contains bugs which I’m going to sort out and I’ll make it a bit more usable as well.

  3. Eirik Hoem writes:
    No. 3 — March 17th, 2008 at 2:09 pm

    That’s a new one for me πŸ™‚ Pretty cool concept. I doubt people would use it on forums / blogs, since it probably would prevent a good portion of the posts. Not every visitor / active member knows JS etc. Still, cool idea πŸ™‚

  4. Gareth Heyes writes:
    No. 4 — March 17th, 2008 at 2:19 pm

    @Eirik

    Don’t forget this is the first version πŸ˜‰ CSS, HTML, C# or any other language could be used.

    I’ve fixed a bug with the script and added instructions, have fun πŸ™‚

  5. fragge writes:
    No. 5 — March 17th, 2008 at 9:57 pm

    @Eirik

    It could be made harder.. weed out the non-coders leeching on a coders forum. Imagine it.. it could wipe out script kiddies πŸ˜‰

  6. nikos writes:
    No. 6 — March 17th, 2008 at 10:47 pm

    i ‘m still laughing…

  7. islam writes:
    No. 7 — March 18th, 2008 at 9:24 am

    just test!

  8. islam writes:
    No. 8 — March 18th, 2008 at 9:37 am

    hello , just take look about javascript with the main html document so the user will have the ability to control all the page contant and activity which may be lead to XSS Bug
    find way to separate code code checked engine from main page javascript renderer

    thank you!

  9. Gareth Heyes writes:
    No. 9 — March 18th, 2008 at 9:58 am

    @islam

    That isn’t XSS. Unless you can provide me with the means to remotely execute the code without user interaction then I won’t fix it. If you consider that XSS then every web site is vulnerable on the internet, go to google.com enter javascript:alert(/XSS/) in the url bar

  10. Thiago writes:
    No. 10 — March 18th, 2008 at 11:33 am

    I don’t think that this kind of verification could be realy used. Imagine, to every message in the forum you have to fix these boring useless codes.

  11. Gareth Heyes writes:
    No. 11 — March 18th, 2008 at 11:43 am

    @Thiago

    The CAPTCHA is quite easy to solve and only takes a few seconds and it improves your javascript debugging skills along with it. As a added bonus it can also be used to eliminate script kiddies from forums,

    I’m not saying it could be used on all forums but ones with a high technical knowledge it could prove useful.

  12. fragge writes:
    No. 12 — March 19th, 2008 at 5:27 am

    @Thiago
    It doesn’t have to be used on every post. Just on registration on members only forum.. elitist coders ftw.

  13. agente_naranja writes:
    No. 13 — March 25th, 2008 at 11:37 pm

    @Gareth
    Is not *that* easy to solve. It took me like a minute to solve medium, probably you guys can solve it in 30 seconds but it’s still plenty of time. Mostly because I took time to look for the declaration of all variables, not only fixing the missing )’s or }’s. And what about setting some more less obscure variable names? Like “first”, “second”, etc. A variable called “z9gC0” is difficult to track πŸ˜›

    But the idea is really good, I mean, users can reduce it to just one line of a code and say “Fix the three errors in this code and press Submit”. That would certainly prevent lots of “useless” people into joining particular websites.

  14. Gareth Heyes writes:
    No. 14 — March 26th, 2008 at 12:24 am

    @agente_naranja

    It takes me around 5-10 seconds to solve, did you use the test syntax and the highlighted lines numbers? I guess I can reduce it and make it easier or harder depending on the target audience, I see it as a means to remove useless comments and spam within a technical environment.

    The code itself can be configured to produce longer/shorter variables and less functions if required, I’ve done it like this because I see each one being unique and therefore difficult to attack.

    Thanks for the good feedback I’ll look into making it more friendly and producing better variable names.

  15. alex writes:
    No. 15 — May 28th, 2008 at 11:33 pm

    the low was easy πŸ˜›

    noce idea

«
»