Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Response Processors: Request Captcha Processor
The Captcha processor is designed to protect specific pages in a web application from automation. This is done by using a "Captcha" challenge, where the user is required to transcribe random characters from an obscured image or muffled audio file in order to complete the request. The intent is that a human would be capable of correctly answering the challenge, while an automated script with no human intervention would be unable to do so. This assumes that the image is obscured enough that text recognition software is not effective, and the audio file significantly distorted to defeat speech-to-text software. Requiring such user interaction is somewhat disruptive, so it should be utilized only for pages that are prime automation targets (such as contact forms, registration pages, login pages, and so on.). Furthermore, these captcha challenges can be customized to fit the style of the application it is protecting.
Table 31: Request Captcha Processor Configuration Parameters
Parameter | Type | Default Value | Description |
|---|---|---|---|
Basic | |||
Processor Enabled | Boolean | True | Whether traffic should be passed through this processor. |
Protected Pages | Collection | None | A collection of protected pages. |
Advanced | |||
Bad Request Block Response | HTTP Response | 400 HTTP Response | The response to return if the user issues a request that either is too large, or uses multipart and multi-part is disabled. |
Blocked Replay Response | String | Random Value | The response to return if the user attempts to submit the validated request multiple times using the same captcha answer, and that behavior is not allowed. |
Captcha Binary Directory | String | Random Value | The name of the directory where captcha images and audio files will be served from. This should not conflict with any actual directories on the site. |
Captcha Characters | String | Random Value | The characters to use when generating a random captcha value. Avoid using characters that can be easily mixed up. This set of characters is case sensitive. |
Captcha State Cookie Name | String | Random Value | The name of the cookie to use to track the active captchas that have not yet been solved. The cookie is only served to the captcha binary directory. |
Captcha Validation Input Name | String | Random Value | The name of the form input used to transmit the captcha validation key. This should be obscure so that users who have not been required to enter a captcha cannot supply bad values to this input to profile the system. |
Maximum Active Captchas | Integer | 7 | The maximum number of captchas any given user can be solving at any given time. This limit can be overcome, but the majority of users will not be able to. This is primarily for performance, as the more active captchas that are allowed, the larger the state cookie becomes. |
Support Audio Version | Boolean | True | Whether an audio version of the captcha is provided to the user. This can be a requirement for accessibility, as vision impaired users would otherwise be unable to solve the captcha. |
Watermark | String | Random Value | The text to watermark the captcha with. This can be used to prevent the captcha from being used in a phishing attack. For example, an abuser would not be able to simply display the captcha on a different site and ask a user to solve it. The watermark would tip the user off that the captcha was not intended for the site they are visiting. Use %DOMAIN to use the domain name as the watermark. |
Cancel URL | String | None | The URL to redirect the user to if they cancel the captcha. This should not be to the same domain, because the domain is being blocked using a captcha, and therefore, canceling would only redirect to a new captcha. An empty value will hide the cancel button. |
Captcha Expiration | Integer | 2 minutes | The maximum number of seconds the user has to solve the captcha before the request is no longer possible. |
Expired Captcha Response | HTTP Response | 400 HTTP Response | The response to return if the user submits a validated request after the captcha has expired. This can happen if the user refreshes the results of the captcha long after they have solved it. |
Maximum Request Size | Integer | 500kb | The maximum number of bytes in a request before it is considered not acceptable for captcha validation, and will be blocked. |
Incident: Bad Captcha Answer | Boolean | False | The user was asked to solve a captcha and entered the wrong value. This could be a normal user error, or it could be the results of failed abuse. |
Incident: Captcha Cookie Manipulation | Boolean | True | The user submitted a request and was asked to solve a captcha. They then modified the state cookie used to track captchas, making it invalid. This is likely in an attempt to find a way to bypass the captcha validation mechanism. |
Incident: Captcha Directory Indexing | Boolean | True | The user has requested a directory index in the directory that serves the captcha images and audio files. This is likely in an attempt to get a list of all active captchas or to identify how the captchas are generated. |
Incident: Captcha Directory Probing | Boolean | True | The user has requested a random file inside the directory that serves the captcha images and audio files. This is likely in an attempt to find an exploitable service or sensitive file that can help bypass the captcha validation mechanism. |
Incident: Captcha Disallowed MultiPart | Boolean | True | The user has submitted a multipart form post to the protected page, which has been configured as a disallowed option. This is likely in an attempt to find an edge case the captcha validation mechanism is not expecting. |
Incident: Captcha Image Probing | Boolean | True | The user is probing the directory used to serve captcha images. This is likely in an attempt to find hidden files or a way to invoke errors from the captcha serving logic. |
Incident: Captcha Parameter Manipulation | Boolean | True | The user has submitted a request with a valid captcha, but they modified the query string parameters. This could be in an attempt to change the output of executing the request without requiring the user to re-validate with another captcha. |
Incident: Captcha Request Replay Attack | Boolean | True | The user has attempted to submit the same request multiple times with the same captcha answer. In order words, they solved the captcha once and issued the resulting request multiple times. |
Incident: Captcha Request Size Limit Exceeded | Boolean | True | The user has submitted a request to the protected page which contains more data then is allowed. This might be an attempt to reduce system performance by issuing expensive requests, or it can be an indicator of a more complex attack. |
Incident: Captcha Request Tampering | Boolean | True | The user submitted a request and was asked to solve a captcha. They introspected the page containing the captcha and altered the serialized request data (the data from the original request before the captcha prompt). They then submitted a valid captcha using the modified request data. This is likely in an attempt to abuse the captcha system and identify a bypass technique. |
Incident: Captcha Signature Spoofing | Boolean | True | The user submitted a request and was asked to solve a captcha. They introspected the page containing the captcha and provided a validation key from a previously solved captcha. This is likely in an attempt to submit multiple requests under the validation of the first. |
Incident: Captcha Signature Tampering | Boolean | True | The user submitted a request and was asked to solve a captcha. They introspected the page containing the captcha and provided a fake validation key. This is likely in an attempt to bypass the captcha validation mechanism. |
Incident: Expired Captcha Request | Boolean | True | The user submitted a request and was given a set window of time to solve a captcha. The user solved the captcha and submitted the request for final processing after the window of time expired. This is likely an indication of a packet replay attack, where the user attempts to invoke the business logic of the protected page multiple times under the same captcha validation. |
Incident: Mismatched Captcha Session | Boolean | True | The user submitted a request and was asked to solve a captcha. They solved the captcha, but upon submitting the request for final processing, they did so under a different session ID. This is likely due to multiple machines participating in the execution of the site workflow and can indicate a serious targeted automation attack. |
Incident: No Captcha Answer Provided | Boolean | True | The user attempted to validate a captcha but did not supply an answer to validate. There is no interface that allows the user to do this, so they must be manually executing requests against the captcha validation API in an attempt to evade the mechanism. |
Incident: Unsupported Audio Captcha Requested | Boolean | True | The user has requested an audio version of the captcha challenge, but audio is not supported and there should not be an interface to ask for the audio version. The user is likely trying to find a way to more easily bypass the captcha system. |
