We have released new book"Content Marketing in social networks: How to get into the head of subscribers and fall in love with your brand. "

Captcha is a humanity test used to protect a resource from spam and robots. But it prevents honest people, for example, from checking the position of the site. Therefore, it is hacked with tools based on the weak points of the technology. Today we will tell you how to resist captcha.

Who needs to bypass captcha

It is not only spammers bypassing it to create a large number of new mailboxes, comments on forums, pages on social networks for the further spread of spam. Protection needs to be bypassed and honest companies to get results in automatic mode... For example, a site owner to check positions in search engine or resources that automatically collect thematic information.

Rough enumeration of all options

Even when captchas were created, questions and answers were invented by hand and there were a limited number of them. This means that after spending some time on the site and collecting all possible answers, they could be collected into a database and used for hacking.

How to protect yourself: generate options automatically so that you cannot predict them or collect all possible answers. Now this is no longer a problem, letters and symbols are collected automatically, like arithmetic examples.

Getting the field name

How to hack: just take the name of the captcha field from the code and use the program to intercept its value if it never changes.

How to protect yourself: use a dynamic field name, that is, changeable each time. It must be encrypted so that other programs cannot read it and receive a response. The decryption key will be on the server; it cannot be obtained without access to the server script.

For example, captcha is stored in the Captcha field. Then it is very easy to create a program that will read the value from it. You can choose a name manually or use the most popular databases that are stored in the public domain. However, if the name is constantly called differently and not just by a word, but for example, by a sequence of letters "fghtn" or "qpvbn", then it will be more difficult to trace it. And the safest option is to encrypt this sequence.

Bypass captcha with OCR

OCR is a text recognition technology for converting to digital form available for editing. An example of a popular program - ABBYY FineReader... Free, but lesser known: ocropy,. All you need to do is adjust the required parameters and upload a picture.

The method is also used to recognize captcha online. The program reads the picture and enters the values ​​into the field. How the algorithm works internally:

1. Image with letters or numbers is cleared of noise for clear character recognition.
2. It is split into separate fragments with one sign.
3. Each symbol is compared with the originals previously loaded into the database.
4. At the end, the total is displayed.

To protect against hacking using OCR, special captchas are created with a lot of noise, incomprehensible characters. Signs can be so distorted that even a person will not find the right answer the first time.

To work around, you need to find different originals so that in most cases the system can correctly identify the symbol. We need different fonts and encodings.

How captcha is protected from OCR:

• impose on the image noises of the same color as the main symbols;
• adds extra characters and separately asks to enter only some of them in text, and not all of them (as the robot will do it);
• letters and numbers are placed at different levels;
• use a unique, non-standard design.

The measures taken prevent the automatic input of characters.

Written scripts

This method is not a complete workaround. It is used as an auxiliary one so that the OCR system could identify characters as clearly as possible.

The programmer writes a script using special libraries that:

• pre-clears the picture from noise, unnecessary signs, background;
• works with colors so that they do not interfere with the recognition process;
• cuts off unnecessary areas, leaving only characters;
• aligns the text.

Using a proxy

Proxy services allow the user to surf the network anonymously. Thus, he hides his real IP address, location and other information about himself. Tracking it becomes impossible without special equipment, so IP blocking is not entirely successful.

To bypass it, you need to have access to the proxy service databases. They can be both free and distributed commercially on closed sites. The main algorithm is to constantly change IP. In this case, the site may not issue a captcha, because the same actions are performed by different addresses.

This workaround was one of the first to come up with.

How to use Google to hack his own captcha

In 2017, a developer posted on his blog a way to bypass Google's reCaptcha, detailing the entire process.

This type of captcha differs from the others in that the user is shown an image divided into several parts. He is asked to indicate all the fragments on which the object X is depicted. He marks them with checkmarks, and if everything is correct, the answer is valid. It also has an audio analogue, when the robot calls numbers, and a textual analogue with a test that only a person can decide.

The main algorithm was as follows. It was necessary to download the audio file and convert it to WAV format, which the Google Speech Recognition API recognizes. As a result, he received a digital sequence, which he uploaded to the site and received a ready-made captcha. If it came across just a text version, then the page was simply updated until there was just an audio format.

1. Focus on the ratio of price and volume of work. To recognize several thousand captchas a day, more expensive versions of programs capable of processing a lot of information are chosen. For smaller goals, online services will do the trick, most of which are free.
2. When choosing free service, check for additional restrictions. Ideally, they shouldn't be. For example, limits on recognition or trial time.
3. If you are staying on an exchange with performers, check its reputation by reading reviews on various sources. Some people breed not only performers, but also customers.
4. Download programs from trusted sources. Now there are fewer programs on the market, they are being replaced by servers that do not need to be installed on a computer and they work around the clock.

Programs and services for captcha recognition

Of the programs for recognizing captchas, CapMonster 2 stands out. It is based on OCR technology. The cost depends on the number of streams - 1, 5 and 20, and accordingly, $ 37, $ 57, $ 97.

Key features:

• high performance - millions of captchas per day;
• large base of supported captchas;
• training in new types of captchas from both the developers and the user;
• purchase of additional stream for a professional fare.

You can return the program within 14 days after purchase, and the subscription fee is paid annually.

Exchanges with performers - one-stop solution... First, captchas are recognized in natural time. Robots work several times faster than humans, so a site using protection will see a hack according to statistics. But if a person enters the captcha, then the analytics will be within the normal range.

Secondly, all types of captchas are available that can be recognized by a person. This does not guarantee a 100% workaround, because everyone can be wrong.

Third, it's cheap. Usually up to 50 rubles for 1,000 pieces, but for complex ones it can be up to 150.

Examples of exchanges with performers:

Clarify the rules for working with services in the rules of the user agreement.

Summing up

Programmers can make mistakes due to carelessness, insufficient testing, or simply due to ignorance. Hackers take advantage of security flaws and find ways to destroy the system. Created special programs for automatic captcha recognition and online services that work both for a fee and for free.

Many sites today use captcha for protection from spam. Do not forget also about the captchas that are displayed when sending messages or commenting on the posts of your friends on social networks.

The problem is that the use of such protection is popular: such is an interesting example of plagiarism in the online space. But there is also good news: there are ways to bypass captcha.

What is captcha

Typical captcha is input of garbled characters. There are also other types of captchas.

These include:

• a combination of letters and numbers in the code, both Russian and English;
• arithmetic operation, most often elementary, but sometimes quite complex. Usually complex captchas are placed on serious resources.
• Pictures. Everything is simple here, there is a picture in front of you in the wrong position. By pressing the button, you set it to the correct position.
• pictures in which you need to highlight a certain group of objects according to one common feature.

The more complex the captcha, the better the site or other resource is protected. You can bypass the captcha: how exactly, we will now consider.

How to bypass captcha on the site?

It is unlikely that it will be possible to avoid the appearance of captcha, but making it so that you do not have to enter it is quite possible.
To do this, you just need to download a program that will decrypt the codes for you, register there and start using them.

Exists different types of programs- for manual and automatic captcha recognition. The most popular are Rucaptcha and Antigate. They are not free, but the price for captcha recognition is quite small - from 18 rubles for 1000 entries on Rucaptcha and from $ 0.7 for 1000 images on Antigate. For an ordinary user, such a package will be enough for a long time.

Automatic captcha recognition software is more expensive. For example, the cheapest CapMonster 2 package costs $ 37. But such programs are not designed for an ordinary user, but for those who are actively sending messages to many addresses, because they are able to recognize several million captchas a day.
When the program is installed and launched, you will no longer be required to prove that you are not a robot - the program will recognize the captcha.
We must pay tribute to the developers - such programs greatly simplify our life. On the other hand, it is obvious that captcha will not save you from real robots, but it may well exhaust your nerves. ordinary users The Internet.
Watch the video - How to enable captcha recognition via antigate, rucaptcha, captcha24, captchabot on DelphiXE5

Anti-captcha manual recognition service Real people are working on captcha recognition, so everything that a person is able to recognize is subject to the service:

text captchas, graphic captchas: ReCaptcha V2, KeyCaptcha, FunCaptcha, etc.

Register >>>

How to bypass captcha using a dynamic IP address

There is one more efficient way getting rid of captcha - order a dynamic IP address. Usually this service is paid, and its cost depends on the rates of the provider. After that, set the fastest automatic address change in the settings (for example, every second).

This method is guaranteed to save you from annoying captcha, which means that you will not need to sigh irritably every time the program decides to test you for humanity.

If captcha appears too often, you need to find out why this is happening? It makes sense for Google Chrome users to check the extensions. For example, if you disable the ad blocking extension AdBlock or the RDS bar plugin, then most likely the captcha will no longer appear.

How to make money on captchas

If you are not at all annoyed by entering captcha, then you can also make money on it... To do this, you need to find a service in which you want to work as a "captcha typesetter" and go through the registration process on the site. Immediately after that, you can start working. The more you type captchas, the more money you get. It is difficult to think of an easier way to make money on the Internet. On Rucaptcha, the rate is from 1 to 10 kopecks for recognizing one image.

Earning 💰 online by entering captcha All you need is to correctly enter the text from the picture (from the captcha).

You get money 💵 for each captcha input.

Register >>>

If you are interested in the topic of making money on the Internet, here you will find all the most relevant information 50 better ways make money online

Captcha technology (CAPTCHA) is an automated test designed to identify machine users, aka bots.

Its goal is to formulate a problem that can be easily solved by a person, but difficult for a computer.

But, there are also situations when a seemingly useful script becomes too intrusive.

There is an assumption that Google trains the AI ​​of its drones, thanks to users entering captcha with pictures, I am not a robot.

How to remove captcha I'm not a robot

The reasons for this behavior may vary, but you can always try to fix everything - we carry out the actions as they are eliminated:

• Disconnect and reconnect an active Internet connection. Reboot your router or modem. Thus, the IP address may change.
• We resort to the help of a VPN service. The latter are both paid and free to use. Provided as extensions (add-ons) for browsers and as separately-installed software on a computer.
• We look through and installed extensions... For example, the latest version of Yandex Browser automatically disables plugins from unverified sources and periodically checks those already installed for counterfeiting.
• Check if JavaScript is enabled in the web browser: Settings -> Show advanced settings -> Personal data block Content settings -> JavaScript section.
• Do not forget about antivirus software- it is possible that the computer has become a victim of a botnet, hence the dissatisfaction with the CAPTCHA for the traffic generated at this address.

Interestingly, hundreds of millions of "captchas" are entered by Internet users every day. At the same time, it is no secret that not everyone manages to enter it correctly the first time.

UnCAPTCHA - automated system developed by experts at the University of Maryland, able to bypass Google reCAPTCHA with an accuracy of 85%. They succeeded by recognizing the audio version of the prompt for people with disabilities.

The method exploits a vulnerability in the audio version of reCAPTCHA - a numeric code is pronounced in it, which must then be entered into the check field. The algorithm uses several services to help determine the numbers - including the Google Cloud Speech Recognition service.

Researchers have published the code for their project on GitHub. UnCAPTCHA uses speech recognition tools such as Bing Speech Recognition, IBM, Google Cloud, Google Speech Recognition, Sphinx, and Wit-AI.

Principle of operation

The audio command format is a series of numbers of varying lengths spoken in different speeds, accents and through background noise. To attack this captcha, sounds are identified and automatically split into pieces.

Each bit of the audio signal of each number is loaded into 6 different free online audio transcription services (IBM, Google Cloud, Google Recognition, Sphinx, Wit-AI, Bing Speech Recognition) and these results are aggregated. After concatenation, the most likely string is heuristically identified. After that, the numbers are sequentially typed into the captcha. During testing, the accuracy was observed from 92% for individual numbers and up to 85% in recognizing the audio command in full.

UnCAPTCHA is not the first system of its kind. In March of this year, there was information about an attack using ReBreakCaptcha, a system almost identical to unCAPTCHA.

Video demonstration of work

Tests show that unCAPTCHA can solve 450 reCAPTCHA problems with 85.15% accuracy in 5.42 seconds. This is less than what a person needs to listen to one sound file reCAPTCHA.

unCAPTCHA

The project code is written in python using the popular selenium library and FFmpeg - a set of open source libraries that allow you to record, convert and transmit digital audio signals.

How many years Habr has existed - for so many years posts about the next captcha appear on it regularly - be it a script for generating a picture, a new idea for a captcha with cats, and the like. The most recent example that a person does not quite understand - how the captcha should work after all (see the text of the post and the last comments), but at the same time shares his misconceptions with the community. One gets the feeling that captcha is such terra incognita for most developers - both for those who simply fasten it to the next form in the hope that it will work "out of the box", and for those who come up with captchas like those on which you need to choose a picture with a cat from several photos.

Article contains useful information for those who use captcha on their server, instead of trusting a third-party service like reCaptcha.

And for the seed - if you think that such a captcha check will work:
if ($ _ POST ["captcha"] == $ _SESSION ["captcha"]) return true; (example from practice)
then you are deeply mistaken.

Captcha

By definition, captcha is an automated public Turing test (a test that can be passed by a human, but not a computer). In this article, I will consider the properties of a captcha using the example of its most common type - text in a picture, although almost everything written is equally applicable to any type of captcha.

Two main properties of captcha

Any captcha must have two properties, without which it will not work:

Recognition resistance- a property that protects a captcha from being recognized by an algorithm - for example, a text recognition system. Ensures that a person can read the text in the picture, but the computer cannot.
Anti-example: the standard phpBB 2.x forum captcha did not have such a property - due to the relative ease of recognition, scripts appeared that spam all forums in a row, forcing webmasters to change the captcha to a more persistent one.

Resistance to guessing- a property of a captcha that does not allow guessing its value in a small number of attempts (less than 1000). If the set of possible captcha values ​​is small, the program will have no difficulty in guessing it by selecting it instead of recognizing it.
Anti-example: arithmetic captcha like "1 + 2" (iterating over numbers from 1 to 20 will soon give a result).
Anti-example: choose from several pictures the one with a cat.

Captcha check

The value for verification must be stored on the server, and not transmitted along with the picture to the browser. To match the visitor and the correct value of the captcha, you must use a certain key that is transmitted along with the captcha (session ID, captcha number, etc.)
Anti-example: if you transfer the captcha itself and the value for its verification (including encrypted), then a person only needs to recognize such a captcha once and then use the combination "answer" - "value to check" in his script (according to the link at the beginning of the post just such a case)

Before checking the answer - you need to make sure that it is not empty. Otherwise, the attacker can pass an empty value and pass the captcha without uploading a picture or deleting the current session identifier. a comparison of the two blank lines(in PHP, a non-existent value is an empty string).
Anti-example: the code I already mentioned if ($ _ POST ["captcha"] == $ _SESSION ["captcha"]) return true;
Moreover, this code was written by an experienced programmer.

After verification, the saved captcha value must be deleted. If this is not done, an attacker will be able to use this value again an unlimited number of times. Yes, when the page with the form is updated, the captcha is also updated (either when generating a form or when generating an image), only the script may not load the form again (it should be noted that this is not relevant if the site uses disposable csrf tokens for forms).
Anti-example: a hypothetical login form, in which it is enough to enter the captcha correctly once, and then brute force the password with a script, avoiding regeneration of the captcha on the server.

Bulletproof captcha

Brute force protection. If your captcha is resistant to recognition, but not very resistant to brute-force (for example, you only need to read 3-4 digits on it), it is advisable to limit the number of incorrect answers "from one ip" / "for one login" / etc. Such restrictions must be checked BEFORE checking the captcha itself (that is, even in the case of a correctly entered captcha, if there is a restriction, it should not be considered passed) otherwise it will not interfere with brute force.

DoS protection. When generating captcha on your server, you need to understand that this is a convenient vector for carrying out DoS attacks (which, unlike DDoS, can be arranged by any student). For protection, you can limit the number of captcha generation for one ip, captcha caching, etc.

Protection against recognition. If you choose a captcha, or suddenly you are going to write it yourself, it is advisable to understand which captcha is more protected from recognition. There are ready-made universal captcha recognition scripts that work on the OCR principle, and if your site is of interest to spammers, there is a risk that they will use / write a script specifically for your captcha. The latter, however, refers more to sites of the level of Yandex or vk, but it is advisable to provide for an option with protection against banal OCR.

Anti-gate protection. Formally speaking, a captcha as a Turing test is not obliged to protect you from anti-gates, since in this case it will be recognized by a person. From a practical point of view, this issue is very relevant and it is necessary to defend somehow.
There is not and cannot be a "gold standard" (because in this case, antigates will implement its support), so you are free to supplement the captcha with any tricks to make it impossible to recognize it through the antigate. For example:
- non-standard captcha (collecting a puzzle, rotating an image, clicking on an area on a photo, etc.);
- Cyrillic captcha is the simplest solution, but it has a number of disadvantages: it is suitable only for projects with a Russian-speaking audience, there are anti-gates with Cyrillic support;
- usage virtual keyboard next to captcha for entering non-standard characters or shapes (may be inconvenient for mobile users);

Usability

Do not ask to enter a captcha if you are already convinced that there is a person in front of you. Here, however, one must be careful that the form cannot be used by the script an unlimited number of times after a single captcha input by a person.
Example: registration form. If I'm registering somewhere, and forgot to enter the "postal code" field, but entered the captcha correctly, I don't need to show me a new one. Take 10 minutes to save somewhere that a living person is now trying to fill out this particular form.

To facilitate human recognition: do not use letters and numbers at the same time in captcha, do not use uppercase and lowercase letters at the same time, exclude similar characters.

Refusal to use captcha

The best captcha is no captcha. Where you can refuse to use it - this must be done. You may need to implement additional limits and checks for this, but users will thank you.
But here you have to be very careful. For example: a registration form without captcha, with an email field to which an activation letter comes. Without additional means of protection, such a form can be inundated with "left" addresses, and your site will be included in the black lists postal services... In this case, you can do without captcha, but only if you have another line of defense, such as an ip limit.

Someone will find the information in this topic obvious, but if I had not come across examples of misunderstanding of these simple principles in life, including with experienced fellow developers, I would not waste time writing this text.