Recipe 15-2: Validating Users with CAPTCHA Testing
This recipe shows you how to verify that the client is human by using CAPTCHA testing.
Ingredients
- ModSecurity
- SecContentInjection directive
- SecStreamOutBodyInspection directive
- STREAM_OUTPUT_BODY variable
- @rsub operator
Recipe 15-1 identified automated programs by confirming that the client can execute JavaScript. This method may not work, however, if some of your clients have disabled JavaScript in their web browsers. How else can we validate that clients are real people and not automated programs? This is the purpose of the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) concept.
CAPTCHA Defined
A CAPTCHA is a challenge-response test that verifies that a human, rather than an automated program, is entering information. For example, sometimes bots are used to affect search engine rankings or participate in an online poll. The CAPTCHA displays an image of slightly distorted letters and perhaps also numbers and asks the user to enter what he or she sees. This task is easy for a human but difficult or impossible for a bot.
CAPTCHAs are often used to help prevent certain automated attacks:
- Automated account registrations
- Automated ticket purchasing (queue jumping)
- Blog comment spam
Figure 15-1 shows an example of common blog comment spam for a WordPress site that promotes discounted medication.
Figure 15-1: WordPress comment spam
Keep in mind that these types of comment spam ...
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
