There are unique challenges when developing a passive bot detecting system. In this blog article, I explain some of the obstacles that need to be overcome in order to detect advanced bots without presenting a CAPTCHA. I also explain how bot programmers can benefit from the architectural challenges that bot detection systems inherently suffer from.

Preface

Do you like to fiddle around with programming projects in your spare time? And do you sometimes start endeavors ambitiously, but you never actually finish them? Are you fucking tired of stacking unsuccessful projects, doing mediocre work while never being thoroughly satisfied in what you do?

If yes, you may be inclined to listen to some words I have to say over my most recent failed project:

The idea was to create my own little captcha plugin for wordpress. You can learn more about the idea by delving into some of my accompanying investigations in the following blog posts:

• Plotting Bézier curves directly and with De Casteljau’s algorithm
• Create your own font the hard way!

Honestly I started this project because back in the time I was using this plugin and I was unsatisfied because for these reason. So this context information hopefully points out some of my motivations to start the project in the first place.

The destiny of every badly planned project

As with many spontaneously started projects in came up with in the past, I first was convinced that it was an awesome idea and subsequently started programming head-first without having a clear path or …

Last Edit (Effective: 7th November 2013)

It seems like the plugin authors updated the security of the plugin. All the bottom blog entry deals with version 3.8.7. In this new paragraph, I will look whether these recent updates to version 3.8.8 added the necessary security to prevent conducting an...

• Attack vector one: Parsing the captcha logic.
• Attack vector two: Reversing the decode() function and just reading the solution from the hidden fields.

Let's get started:

At line 942 of the plugin code (The start of the function that generates the captcha) we see that the password isn't longer a static clear text password, it is built dynamically every 24 hours with the function cptch_generate_key(), that I will show here for your convenience:

// Functionality of the captcha logic work for custom form
if ( ! function_exists( 'cptch_display_captcha_custom' ) ) {
    function cptch_display_captcha_custom() {
        global $cptch_options, $cptch_time;

        if ( ! isset( $cptch_options['cptch_str_key'] ) )
            $cptch_options = get_option( 'cptch_options' );
        if ( $cptch_options['cptch_str_key']['key'] == '' || $cptch_options['cptch_str_key']['time'] < time() - ( 24 * 60 * 60 ) )
            cptch_generate_key();
        $str_key = $cptch_options['cptch_str_key']['key'];

Let's see if the new …

Last major update on 23.10.2013

Preface

As promised previously in my last article, I will guide you through the creation process of a rudimentary font. I will use the glyphs of my font to draw captchas and incorportate the implementation in my brand new captcha plugin for wordpress. There are already quite a few captcha plugins out there, some of them are better than mine (RECAPTCHAfor instance translates books and thus solves two problems at the same time), others are worse, because the math equations can simply be parsed (As far as I can judge without inspecting the code further).

In this article however, I will center the focus entirely on the font and abstract from it's future usage in the captcha.

Technical background of fonts

A logical start of font creation is to answer the question what type of font we are going to create. But lets first introduce some concepts that are of importance when it comes to font design.

In short: A font is a collection of glyphs. Each glyph has a shape and there are various ways of describing that shape. You can imagine a glyph as a instanteation of a character. Whereas …

Last major Update: 21.10.2013

Github repo that contains the presented code in this post.

Introduction

In this article I will present you a very simple and in no sense optimized algorithm written in Python 3 that plots quadratic and cubic Bézier curves. I'll implement several variants of Bézier rasterization algorithms. Let's call the first version the direct approach, since it computes the corresponding x and y coordinates directly by evaluation of the equation that describes such Bézier curvatures.

The other possibility is De Casteljau's algorithm, a recursive implementation. The general principle is illustrated here. But the summarize the idea very briefly: In order to compute the points of the Bézier curve, you subdivide the lines of the outer hull that are given from the n+1 control points [Where n denotes the dimension of the Bézier curve) at a ratio t (t goes from 0 to 1 in a loop). If you connect the interpolation points, you'll obtain n-1 connected lines. Then you apply the exactly same principle to these newly obtained lines as before (recursive step), until you finally get one line remaining. Consider again the point at the ratio t on this single line left and …