NuCaptcha.com

Adaptive Captcha Authentication

Blog


  • What types of attacks does a Captcha protect?

    Posted by nospam@noemail.com (Randy Lukashuk) on 
    Tuesday, February 08, 2011

    Captcha technology has evolved since originally invented and coined by Luis von Ahn. What hasn’t changed is why they exist in the first place: to protect and secure websites from intrusive bots designed to exploit your sites or services. Now captchas are a first line of defense for identity theft, but there are two threats that require an extra protective measure: SQL injection and cross-site scripting. These are two common attacks that attackers can use to steal sensitive information from your website.


    In the case of SQL injection, text input is taken from the user and passed, unfiltered, into the database server. Since SQL databases are solely controlled by text-based commands this is a dangerous scenario. Imagine if, instead of the name, the user entered an SQL command that deleted your whole database? Make sure you validate and ‘clean’ your text input of any SQL before passing it into your query. Cross-site scripting attacks occur while a user is logged in to your site and an attacker takes advantage of these privileges to unknowingly perform actions on behalf of your user. 

    Consider the scenario where a new user signs up on your site.  They complete your captcha to prove that they're human and they login with their newly created username and password.  They then go to their 'my account' page and go to update their personal details. In the 'edit info' form, they manually type in a SQL injection attack that grants them full access to your customer database.  Cross-site scripting and other automated attacks are no different: (1) a human can be presented a captcha at login, (2) they can complete it, proving they're human and then log in, (3) they proceed to run a script that spams a thousand comments or messages; or even worse, another page or program can automatically do so on the users behalf.


    It's important to take all of this into consideration when deciding to use captchas on your website. Everywhere you see a submit button on your site, ask yourself, would it be ok if this action was automatically completed by a script or a 'bot' - if not, put a captcha on the form. Then make make sure you use other security best practices to ensure protection from other malicious attacks on your website. Stay tuned for upcoming blog posts about securing your site from bots, SQL injection, and XSS.



    < Back

All trade names, trademarks and logos are the property of their respective owners. NuCaptcha is a registered Canadian company. © 2011 NuCaptcha Inc.