Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Script Based Attacks & Form Hacks
From: Andrew van der Stock <vanderaj () greebo net>
Date: Fri, 22 Jul 2005 18:23:16 +1000

CAPTCHA implementations need to be aware of their accessibility requirements. I strongly recommend against CAPTCHAs as they prevent disabled users from accessing your site. There are many legal cases, including against the Olympics organizers SOCOG in 2000, which prove that you may not disregard your obligations to disabled access.

It may be enough to provide an e-mail link or alternative accessible mechanism for disabled users to use as an alternative path ... as long as that path ends up with full access to your site, which was the fundamental reasoning behind the SOCOG fines and remediation order.

Lastly, one of the most effective anti-CAPTCHA tactics I've seen regularly used is "free day passes" to adult web sites. The time to crack CAPTCHAs is less than 30 seconds for groups with extensive numbers of sites or affiliates. Plus, from the attacker's point of view, a human does the OCR step. This is a complete defeat of the CAPTCHA system for sites which have something of value to attackers (link spam, etc).


On 22/07/2005, at 5:46 PM, Vicente Aguilera wrote:


CAPTCHA is a good solution to prevent automatic form submissions, but:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]