Codetcha
Monday, 17 March 2008
I’ve sat on the concept for a long time and it has had many names but I’ve got a bit of free time now so I decided to create a proof of concept. It isn’t perfect yet and there may be false positives due to a few bugs but if you read my blog you know I like to release code early π
So what is it I hear you ask? Well Codetcha is CAPTCHA but not in the traditional sense, it purposely creates code bugs and uses the developers debugging skills to determine if he/she is human or not. In the first version I’ve used Javascript as the error prone code and a PHP mirror behind the scenes to get the relevant value. However any programming language could be used, I decided on Javascript because you can use the native debugging in the browser to help you pass the test.
It’s worth noting that this sort of system couldn’t be used on a non-technical forum or blog because it assumes knowledge of a programming language but it could be used on technical blogs and forums.
Update…
Fixed more bugs, reduced the settings slightly. I’ll release the source code soon once I’ve refined it a bit more.
Update again…
I’ve fixed many bugs, reduced the code by 50% and improved the replace algorithm.
No. 1 — March 17th, 2008 at 1:36 pm
You are insane π
Anyway, I figured it out, but I did this without understanding really well what I was supposed to do.
You should give more instruction on the codetcha page itself.
No. 2 — March 17th, 2008 at 1:57 pm
@gianni
I tried to make it as simple as possible, I’ll maybe look into making a bit easy to understand π
Glad you figured it out though π It still contains bugs which I’m going to sort out and I’ll make it a bit more usable as well.
No. 3 — March 17th, 2008 at 2:09 pm
That’s a new one for me π Pretty cool concept. I doubt people would use it on forums / blogs, since it probably would prevent a good portion of the posts. Not every visitor / active member knows JS etc. Still, cool idea π
No. 4 — March 17th, 2008 at 2:19 pm
@Eirik
Don’t forget this is the first version π CSS, HTML, C# or any other language could be used.
I’ve fixed a bug with the script and added instructions, have fun π
No. 5 — March 17th, 2008 at 9:57 pm
@Eirik
It could be made harder.. weed out the non-coders leeching on a coders forum. Imagine it.. it could wipe out script kiddies π
No. 6 — March 17th, 2008 at 10:47 pm
i ‘m still laughing…
No. 7 — March 18th, 2008 at 9:24 am
just test!
No. 8 — March 18th, 2008 at 9:37 am
hello , just take look about javascript with the main html document so the user will have the ability to control all the page contant and activity which may be lead to XSS Bug
find way to separate code code checked engine from main page javascript renderer
thank you!
No. 9 — March 18th, 2008 at 9:58 am
@islam
That isn’t XSS. Unless you can provide me with the means to remotely execute the code without user interaction then I won’t fix it. If you consider that XSS then every web site is vulnerable on the internet, go to google.com enter javascript:alert(/XSS/) in the url bar
No. 10 — March 18th, 2008 at 11:33 am
I don’t think that this kind of verification could be realy used. Imagine, to every message in the forum you have to fix these boring useless codes.
No. 11 — March 18th, 2008 at 11:43 am
@Thiago
The CAPTCHA is quite easy to solve and only takes a few seconds and it improves your javascript debugging skills along with it. As a added bonus it can also be used to eliminate script kiddies from forums,
I’m not saying it could be used on all forums but ones with a high technical knowledge it could prove useful.
No. 12 — March 19th, 2008 at 5:27 am
@Thiago
It doesn’t have to be used on every post. Just on registration on members only forum.. elitist coders ftw.
No. 13 — March 25th, 2008 at 11:37 pm
@Gareth
Is not *that* easy to solve. It took me like a minute to solve medium, probably you guys can solve it in 30 seconds but it’s still plenty of time. Mostly because I took time to look for the declaration of all variables, not only fixing the missing )’s or }’s. And what about setting some more less obscure variable names? Like “first”, “second”, etc. A variable called “z9gC0” is difficult to track π
But the idea is really good, I mean, users can reduce it to just one line of a code and say “Fix the three errors in this code and press Submit”. That would certainly prevent lots of “useless” people into joining particular websites.
No. 14 — March 26th, 2008 at 12:24 am
@agente_naranja
It takes me around 5-10 seconds to solve, did you use the test syntax and the highlighted lines numbers? I guess I can reduce it and make it easier or harder depending on the target audience, I see it as a means to remove useless comments and spam within a technical environment.
The code itself can be configured to produce longer/shorter variables and less functions if required, I’ve done it like this because I see each one being unique and therefore difficult to attack.
Thanks for the good feedback I’ll look into making it more friendly and producing better variable names.
No. 15 — May 28th, 2008 at 11:33 pm
the low was easy π
noce idea