Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Response Processors: Request Captcha Processor

    The Captcha processor is designed to protect specific pages in a web application from automation. This is done by using a "Captcha" challenge, where the user is required to transcribe random characters from an obscured image or muffled audio file in order to complete the request. The intent is that a human would be capable of correctly answering the challenge, while an automated script with no human intervention would be unable to do so. This assumes that the image is obscured enough that text recognition software is not effective, and the audio file significantly distorted to defeat speech-to-text software. Requiring such user interaction is somewhat disruptive, so it should be utilized only for pages that are prime automation targets (such as contact forms, registration pages, login pages, etc.). Furthermore, these captcha challenges can be customized to fit the style of the application it is protecting.

    Table 1: Request Captcha Processor Configuration Parameters

    Parameter

    Type

    Default Value

    Description

    Basic

    Processor Enabled

    Boolean

    True

    Whether traffic should be passed through this processor.

    Protected Pages

    Collection

    None

    A collection of protected pages.

    Advanced

    Bad Request Block Response

    HTTP Response

    400 HTTP Response

    The response to return if the user issues a request that either is too large, or uses multipart and multi-part is disabled.

    Blocked Replay Response

    String

    Random Value

    The response to return if the user attempts to submit the validated request multiple times using the same captcha answer, and that behavior is not allowed.

    Captcha Binary Directory

    String

    Random Value

    The name of the directory where captcha images and audio files will be served from. This should not conflict with any actual directories on the site.

    Captcha Characters

    String

    Random Value

    The characters to use when generating a random captcha value. Avoid using characters that can be easily mixed up. This set of characters is case sensitive.

    Captcha State Cookie Name

    String

    Random Value

    The name of the cookie to use to track the active captchas that have not yet been solved. The cookie is only served to the captcha binary directory.

    Captcha Validation Input Name

    String

    Random Value

    The name of the form input used to transmit the captcha validation key. This should be obscure so that users who have not been required to enter a captcha cannot supply bad values to this input to profile the system.

    Maximum Active Captchas

    Integer

    7

    The maximum number of captchas any given user can be solving at any given time. This limit can be overcome, but the majority of users will not be able to. This is primarily for performance, as the more active captchas that are allowed, the larger the state cookie becomes.

    Support Audio Version

    Boolean

    True

    Whether an audio version of the captcha is provided to the user. This may be a requirement for accessibility, as vision impaired users would otherwise be unable to solve the captcha.

    Watermark

    String

    Random Value

    The text to watermark the captcha with. This can be used to prevent the captcha from being used in a phishing attack. For example, an abuser would not be able to simply display the captcha on a different site and ask a user to solve it. The watermark would tip the user off that the captcha was not intended for the site they are visiting. Use %DOMAIN to use the domain name as the watermark.

    Cancel URL

    String

    None

    The URL to redirect the user to if they cancel the captcha. This should not be to the same domain, because the domain is being blocked using a captcha, and therefore, canceling would only redirect to a new captcha. An empty value will hide the cancel button.

    Captcha Expiration

    Integer

    2 minutes

    The maximum number of seconds the user has to solve the captcha before the request is no longer possible.

    Expired Captcha Response

    HTTP Response

    400 HTTP Response

    The response to return if the user submits a validated request after the captcha has expired. This may happen if the user refreshes the results of the captcha long after they have solved it.

    Maximum Request Size

    Integer

    500kb

    The maximum number of bytes in a request before it is considered not acceptable for captcha validation, and will be blocked.

    Incident: Bad Captcha Answer

    Boolean

    False

    The user was asked to solve a captcha and entered the wrong value. This could be a normal user error, or it could be the results of failed abuse.

    Incident: Captcha Cookie Manipulation

    Boolean

    True

    The user submitted a request and was asked to solve a captcha. They then modified the state cookie used to track captchas, making it invalid. This is likely in an attempt to find a way to bypass the captcha validation mechanism.

    Incident: Captcha Directory Indexing

    Boolean

    True

    The user has requested a directory index in the directory that serves the captcha images and audio files. This is likely in an attempt to get a list of all active captchas or to identify how the captchas are generated.

    Incident: Captcha Directory Probing

    Boolean

    True

    The user has requested a random file inside the directory that serves the captcha images and audio files. This is likely in an attempt to find an exploitable service or sensitive file that may help bypass the captcha validation mechanism.

    Incident: Captcha Disallowed MultiPart

    Boolean

    True

    The user has submitted a multipart form post to the protected page, which has been configured as a disallowed option. This is likely in an attempt to find an edge case the captcha validation mechanism is not expecting.

    Incident: Captcha Image Probing

    Boolean

    True

    The user is probing the directory used to serve captcha images. This is likely in an attempt to find hidden files or a way to invoke errors from the captcha serving logic.

    Incident: Captcha Parameter Manipulation

    Boolean

    True

    The user has submitted a request with a valid captcha, but they modified the query string parameters. This could be in an attempt to change the output of executing the request without requiring the user to re-validate with another captcha.

    Incident: Captcha Request Replay Attack

    Boolean

    True

    The user has attempted to submit the same request multiple times with the same captcha answer. In order words, they solved the captcha once and issued the resulting request multiple times.

    Incident: Captcha Request Size Limit Exceeded

    Boolean

    True

    The user has submitted a request to the protected page which contains more data then is allowed. This is may be an attempt to reduce system performance by issuing expensive requests, or it may be an indicator of a more complex attack.

    Incident: Captcha Request Tampering

    Boolean

    True

    The user submitted a request and was asked to solve a captcha. They introspected the page containing the captcha and altered the serialized request data (the data from the original request before the captcha prompt). They then submitted a valid captcha using the modified request data. This is likely in an attempt to abuse the captcha system and identify a bypass technique.

    Incident: Captcha Signature Spoofing

    Boolean

    True

    The user submitted a request and was asked to solve a captcha. They introspected the page containing the captcha and provided a validation key from a previously solved captcha. This is likely in an attempt to submit multiple requests under the validation of the first.

    Incident: Captcha Signature Tampering

    Boolean

    True

    The user submitted a request and was asked to solve a captcha. They introspected the page containing the captcha and provided a fake validation key. This is likely in an attempt to bypass the captcha validation mechanism.

    Incident: Expired Captcha Request

    Boolean

    True

    The user submitted a request and was given a set window of time to solve a captcha. The user solved the captcha and submitted the request for final processing after the window of time expired. This is likely an indication of a packet replay attack, where the user attempts to invoke the business logic of the protected page multiple times under the same captcha validation.

    Incident: Mismatched Captcha Session

    Boolean

    True

    The user submitted a request and was asked to solve a captcha. They solved the captcha, but upon submitting the request for final processing, they did so under a different session ID. This is likely due to multiple machines participating in the execution of the site workflow and may indicate a serious targeted automation attack.

    Incident: No Captcha Answer Provided

    Boolean

    True

    The user attempted to validate a captcha but did not supply an answer to validate. There is no interface that allows the user to do this, so they must be manually executing requests against the captcha validation API in an attempt to evade the mechanism.

    Incident: Unsupported Audio Captcha Requested

    Boolean

    True

    The user has requested an audio version of the captcha challenge, but audio is not supported and there should not be an interface to ask for the audio version. The user is likely trying to find a way to more easily bypass the captcha system.

    Published: 2013-11-20