Jump to content

Recommended Posts

For a good while now, I've implemented an unconventional captcha system on the sites I build. The way this captcha (questcha, actually) works is by asking a trivial question, in which the user types the correct answer in a box before registering/submitting/whatever.

 

Something like:

The sky is typically...
            Orange
            Yellow
            Pimpin' Purple
            Blue
            What sky? 

 

Something where the answer is completely obvious, but cannot be solved by a computer. The problem with this is that all the spammer needs to do is find all of the q/a sets, and make a key for them. My workaround for this was to create a user-updated database of these "Questchas." Then, in return, allow others to integrate the system into their sites.

 

What I'm asking is: is there something I've overlooked in this system that would allow it to be compromised, and more importantly, would anyone like to help me?

 

If you're interested in the latter, I threw together this site really fast to kinda get everything started.

 

I'm not asking for any critique on the site, I know it's shit; I'm asking for critique/help on the idea.

Link to comment
https://forums.phpfreaks.com/topic/105096-questchas-a-humane-breed-of-captcha/
Share on other sites

I'm as new to questchas as you are.

But it think there's a few things worth mentioning here:

IMO (strictly), every site isn't hammered by captcha beating bots - those guys direct their time and energy at productive cracking - which gives them paswords and financial info. So, for a time questchas may work. all depends on your luck, IMO

Reading answers requires the page scraper bots to read the answers - which is what the captcha obfuscates by using images. Why can't we obfuscate using Javascript, so that only real browsers execute the javascript and not command-line bots?

Much the infamous exploits the crackers try for cross-site scripting injection. Of course they could very well embed javascript parsers and all, but if your site has no valuable information to reveal, they would not waste their time....

Yes, "alpha males" have a lot of time and enthusiasm, I know :)

So "blue" will be string.replace("clue", "c", "B").tolowercase() .. something of that kind (pardon syntax errors)

I'm not sure this is great, something good may spring from this line of thought....

Im not sure how well this would work.

 

The use of search engines would probably lead to something which could answer the question correctly with a reasonable rate of success.

 

For example, given the above question a script could enter the question(excluding the ...) and possible answers in turn to google and compare result numbers.

 

With just that approach, the number of hits on google would suggest the answer is what sky? However, if you were then to place quotes around the search term, the only result for the quote is with the answer blue

You make this sound like it's a new, profound idea, but the first time I saw it used was probably a year or two ago...

 

 

Anyway, it's a good idea if you have enough questions.  Without enough questions it's pointless.  Also, GingerRobot raises a good point.....  It's not hard for a script to Google....

If you want to use a cognitive captcha then using text instead of images makes things alot easier for a malicious bot, you should use  images and if possible varying images for each question. also the fact that there are multiple choices could be used, by just guessing the answer a bot could correct by a probability of 1/answers.

 

so, a better approach would be to use images instead of a textual questcha. and to require the answer to be typed, instead of choosing from a given pool of answers. for example:

 

|picture of a bird| | picture of an elephant| |picture of some pesto sauce|

 

which of these would go best on pasta? *please type the answer in the text box below*

 

i completly forgot to add, that the example assumes the ability of the user to name the objects in the images and in english (not everyone can know what the english word for pesto is, or know what pesto is at all). and there are a few more drawbacks but using images of widely known objects and simple icons with well formed questions the test would be easy enough for a human to answser and much more frustrating for a bot developer to solve.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.