I have long wanted to create a service that would allow you to quickly and simply get rid of spam and flood on any site. And then, finally, the hands reached and the service was created. EXOCAPTCHA, this name has received the service - is now available to everyone.
There are several successful projects on the subject of CAPTCHA on the Internet, but all that I have viewed have certain disadvantages.
Goals that were set before the EXOCAPTCHA service :
')
Simplicity and speed of installation, platform independence.
Possibility of individual settings (type, size, color, symbols used, etc.)
Lack of core vulnerabilities.
And now more about this:
1. Ease and speed of installation, platform independence
All that is required of you is to specify an e-mail, to which a small code will be sent for insertion into the pages of your site, as well as ready examples of implementation on the form (ASP for Windows and PHP for UNIX). No special settings or settings on the web server are required. On everything about everything should take a few minutes!
2. The possibility of individual settings
In the personal account of the EXOCAPTCHA service you can create several instances of captcha (for example, different types for different sites). Experimenting with the parameters you can create your own unique captcha. And in the case of spammers creating an automatic recognition program for a particular captcha, it is easy (and without making changes on the pages of your site) to change the graphic representation of the code, thereby quickly reducing the efforts of the spammers to nothing.
3. Lack of core vulnerabilities
Reuse session identifiers.
As a rule, most CAPTCHA implementations store the correct answer in a session variable. Some of these implementations, after checking the value, do not reset this variable. Those. it is enough to manually pass the CAPTCHA test once, pass the session identifier and reply to the CAPTCHA bot, and it will generate a large number of successful requests.
Another disadvantage of using a session variable is its limited lifetime. If the user enters the correct answer to the CAPTCHA after the session time (as a rule, 20 minutes), then the server no longer has the opportunity to check it and the answer is recognized as incorrect. Minus? Of course a minus! Who wants to prove 2 times that he is a man?
EXOCAPTCHA is devoid of this disadvantage, because It does not store anything in session variables, and a value check may be for 24 hours (maybe longer, but limited to this time for practical reasons).
The definition of the answer for any information contained on the page.
The answer to CAPTCHA in some of its implementations may be contained in an open or encrypted form in a hidden form field or in the picture request parameter with a code (example here: www.xakep.ru/post/31268 ). Those. Having determined the decoding algorithm, the bot will 100% know the correct answer to the CAPTCHA.
EXOCAPTCHA is devoid of this disadvantage, because the answer in the request parameters is not contained in any form.
The probability of selecting the answer.
Many site management systems use pre-generated images as captchas. A spammer, having created a base of such pictures and correct answers, will easily bypass the main purpose of the captcha. Another variant of the vulnerability is a limited number of response options on CAPTCHA. For example, if the response options are 1000, then even with a performance of 1 request per second, a bot can produce 86 successful requests per day.
EXOCAPTCHA is free from this drawback. All pictures are generated on the basis of many random parameters. And the number of possible answers is determined by the user himself, who determines the possible characters in the captcha and their number.