December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's Cookbook
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 15-2: Validating Users with CAPTCHA Testing
This recipe shows you how to verify that the client is human by using CAPTCHA testing.
Ingredients
- ModSecurity
- SecContentInjection directive
- SecStreamOutBodyInspection directive
- STREAM_OUTPUT_BODY variable
- @rsub operator
Recipe 15-1 identified automated programs by confirming that the client can execute JavaScript. This method may not work, however, if some of your clients have disabled JavaScript in their web browsers. How else can we validate that clients are real people and not automated programs? This is the purpose of the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) concept.
CAPTCHA Defined
A CAPTCHA is a challenge-response test that verifies that a human, rather than an automated program, is entering information. For example, sometimes bots are used to affect search engine rankings or participate in an online poll. The CAPTCHA displays an image of slightly distorted letters and perhaps also numbers and asks the user to enter what he or she sees. This task is easy for a human but difficult or impossible for a bot.
CAPTCHAs are often used to help prevent certain automated attacks:
- Automated account registrations
- Automated ticket purchasing (queue jumping)
- Blog comment spam
Figure 15-1 shows an example of common blog comment spam for a WordPress site that promotes discounted medication.
Figure 15-1: WordPress comment spam
Keep in mind that these types of comment spam ...