A CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”) is a type of challenge-response test used in computing to determine whether or not the user is human.
CAPTCHAs are used to prevent bots from using various types of computing services or collecting certain types of sensitive information. Applications include preventing bots from taking part in online polls, registering for free email accounts (which may then be used to send spam) and collecting email addresses. CAPTCHAs can prevent bot-generated spam by requiring that the (unrecognized) sender pass a CAPTCHA test before the email message is delivered, but the technology can also be exploited by spammers by impeding OCR detection of spam in images attached to email messages. CAPTCHAs have also been used to prevent people from using bots to assist with massive downloading of content from multimedia websites. They are used in online message boards and blog comments to prevent bots from posting spam links as a comment or message.
- Points to remember while testing captcha:
A. Functional / Usability / Accessibility
- When the CAPTCHA is not entered, there should be a client side validation which displays error message on submission of the form.
- CAPTCHA entry should be case sensitive.
- All the data of the form fields should be retained if error is occurred for CAPTCHA text field.
- There should be a link (AJAX) which reads like, “Refresh the text in CAPTCHA”. That would help end-users in refreshing the captcha characters because they were not comfortable in understanding some characters in the current image.
- There need to be audio support if the website is supported even for blind end-user or even partially blind end-users.
- Too much background noise might even spoil the comfort in listening to audio captcha. It is good to consider opinion of audio captcha from many people. Considering partially blind and blind people to listen to it might be an awesome idea.
- If web service is being used and is fetched from another server, it is important to see whether it is rendered smoothly in sync with the other form components and web page elements. In my experience, I have seen captcha being loaded after few seconds, after all page elements are displayed which gave me a feeling that there is nothing to be displayed and whole thing is completely loaded. Then, later suddenly it displays giving an odd feeling.
- Proper TAB indexing should be done even for captcha text field. I have experience where reCaptcha was used in registration form and TAB indexing was missed for it. Then I suggested to the developer to fix that as there is option by reCaptcha Google to provide tab indexing option.
B. Security
- CAPTCHA images should not reveal absolute path names. Usage of web services is a good idea, just like reCaptcha.
- Do not have cyclic fashion captcha images. Like 1 to 100 and then again 1 to 100. Easy to crack. It is good to have some algorithm which generates huge number of captcha images using image libraries.
- Usage of background noise in the image, different textures, and different angle of displaying the characters might be a good idea to make it difficult for some captcha cracking programs like http://free-ocr.com/ and few others.
- Audio to text converters – Use some of these software(s) and see whether they are able to crack the audio captcha or not.
- CAPTCHA should refresh on every wrong entry. Keeping it static might be vulnerable to brute force attack for captcha to bypass it.
- There needs to be server-side validation for CAPTCHA entry. Use Firebug to Inspect Captcha element and then just delete it from client-side. Then, just fill the form without captcha and submit it. If it gets submitted, then there is no server-side validation which is a high risk one. It’s equivalent to not having captcha.
- CAPTCHA with question and answers in plain text and mathematical functions questions in plain text are not recommended in my opinion.
- Combinations of uppercase / lowercase alphabets, numerical, special characters could be used to increase the brute force combinations for CAPTCHA which would turn out to be very difficult to crack CAPTCHA quickly. Hackers usually do not employ brute force for so many numbers of combinations; rather they would hire a human to bypass the captcha manually. Well, yes. There are CAPTCHA breaking services.
- Saving list of questionnaire for CAPTCHA in JS file is easily vulnerable as all the questions could be retrieved easily and assertions could be easily added using some automation tool like Selenium and bypass CAPTCHA. I had seen this vulnerability in check-in service web application Gowalla or Foursquare – I do not really remember which one exactly.
C. Other points
- Always leave a space between the two words:
- 2.If one of the words is only partially readable, then type the readable part (try to avoid the “DON’T KNOW” button )
- 3.You don’t need to type symbols or punctuation marks. – See more at: http://tips-and-tricks-in-captcha-typing.blogspot.in/#sthash.kvqUlGiA.dpuf
- Images with spaces and letter separation: avoid Spaces and images
- 4.Ensure that the CAPTCHA code screen should be viewable.
- Ensure that the CAPTCHA code should be in Image format.
- Ensure that the CAPTCHA code should be reusable.(able to get new code by clicked link)
- Ensure that the CAPTCHA code should generate new code once the page is refreshed.
- Ensure that the CAPTCHA code should generate new code once entered the wrong code.
- Ensure that the CAPTCHA code should not able to copy/paste.
- Ensure that the CAPTCHA code should be Case Sensitive or vice versa(According to the Requirement).
- Ensure that the CAPTCHA code should not distruot the other fields in the form, once entered wrong.(Other form fields should not clear)
- Application should not accept the Invalid CAPTCHA code on form feed and should display proper alert message.
- Application should accept the Valid CAPTCHA code on form feed.