bhuninghake
Programmer
Is anyone aware of a way of doing the CAPTHCA Dynamic Imaging with ASP vice .NET ? I can barely write ASP and didn't want to get into another language if I didn't need too.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations MikeeOK on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
CAPTCHA Dynamic Images 2
- Thread starter bhuninghake
- Start date
- Status
- Thread starter
- #2
bhuninghake
Programmer
Found a work around this ... Made up different images using numbers, etc and I display an image at random and the person must input the number, etc displayed. Seems to work ...
-
2
- #3
bhuninghake,
A few thoughts on your requirement/solution:
If you have a fixed naming convention for the files then 'scrapers' can work around this - they simply run the page enough times to see the vast majority of the filenames against the actual value to be used, then they can program a script to dynamically apply the correct value when they encounter the filename you specify. (certainly never use the actual number in the filename!)
You would need to 'hide' the filename by using something like:
The asp file target would then return a random image as the content of the http response (but the end user will never know the source file).
Unfortunately this can also be fooled if you use fixed images - as the scrapers can use checksums to identify the image passed back as each file will have its own signature.
There are other ways to get around this though, for example image stitching. In the getImage.asp file mentioned above you could randomly create a string of varying length and then for each individual character in that string select the file that represents that character (if you randomly select from different styles it is even more difficult to crack). Then you would need to 'stitch' the images together and return a single image to the calling page.. you may store the original number in a session variable to compare with later.
Another interesting implementation I have seen is using audio WAV files to create the code (stitched together) - even more difficult for people to leech stuff from your site.
The thing to consider is: "how secure do you want it to be?" - trust me, the only way to completely prevent people from hacking a system is by turning it off ;-) (even then it can still be at risk) - it is all about how much effort you want to put in to reduce the risk of abuse of your site.
If you have the images as you have specified above in your code then 80-90% of interested parties will just give up (without checking the source). However, if you use an asp page to obfuscate the file details (as mentioned above), then 99% are likely to give up (as it appears to them that you are using a more sophisticated system).
Also, how likely is it that people will want to leech what you have to offer ? Without demand, risk diminishes somewhat.
Finally, you may want to make sure that there are not other ways of getting the information you are protecting - this method is only one way for someone to leech your data.
Hope this gives you some ideas,
Damian
A smile is worth a thousand kind words. So smile, it's easy!
A few thoughts on your requirement/solution:
If you have a fixed naming convention for the files then 'scrapers' can work around this - they simply run the page enough times to see the vast majority of the filenames against the actual value to be used, then they can program a script to dynamically apply the correct value when they encounter the filename you specify. (certainly never use the actual number in the filename!)
You would need to 'hide' the filename by using something like:
Code:
<img src="/security/getImage.asp" />The asp file target would then return a random image as the content of the http response (but the end user will never know the source file).
Unfortunately this can also be fooled if you use fixed images - as the scrapers can use checksums to identify the image passed back as each file will have its own signature.
There are other ways to get around this though, for example image stitching. In the getImage.asp file mentioned above you could randomly create a string of varying length and then for each individual character in that string select the file that represents that character (if you randomly select from different styles it is even more difficult to crack). Then you would need to 'stitch' the images together and return a single image to the calling page.. you may store the original number in a session variable to compare with later.
Another interesting implementation I have seen is using audio WAV files to create the code (stitched together) - even more difficult for people to leech stuff from your site.
The thing to consider is: "how secure do you want it to be?" - trust me, the only way to completely prevent people from hacking a system is by turning it off ;-) (even then it can still be at risk) - it is all about how much effort you want to put in to reduce the risk of abuse of your site.
If you have the images as you have specified above in your code then 80-90% of interested parties will just give up (without checking the source). However, if you use an asp page to obfuscate the file details (as mentioned above), then 99% are likely to give up (as it appears to them that you are using a more sophisticated system).
Also, how likely is it that people will want to leech what you have to offer ? Without demand, risk diminishes somewhat.
Finally, you may want to make sure that there are not other ways of getting the information you are protecting - this method is only one way for someone to leech your data.
Hope this gives you some ideas,
Damian
A smile is worth a thousand kind words. So smile, it's easy!
- Thread starter
- #4
bhuninghake
Programmer
Most awesome response there damber and thanks.
- Status
Similar threads
- Locked
- Question
- Locked
- Question