Human Verification (CAPTCHA) Perl Script - Generate a verification image for validating forms

Skriptke.ltn.net/hv/	Human Verification Perl Script
English - Español

Download:
Versión 0.1 hv.01.gz
(Licencia GNU/GPL)

What is this and what is it for?

This is a perl script which prevents 'bots from filling in forms (captcha). the system is similar to those used by free webmail sites to prevent robots from signing up and/or hacking passwords. this can also be used to register users on forums, guestbook messages, and so on, to keep the spam 'bots out.

Enter security code:

What’s it base?

This script is based on the ability of the human eye to recognize images better than OCR (Optical Character Recognition). A distorted image can be understood by the human but not by OCR.

Finding the point at which humans can understand the image but OCRs cannot is complicated. It's possible in the future OCR will be as good as, or even better, than the human eye, so this system (or any other) is not 100% certain. However, OCR based attacks have to use many methods and considerable time, so a script like this is sufficient to protect a guestbook, but probably not a bank, where the reward is greater!

A more secure method is to require interpretation, which is much further from a computer's reach than simple OCR. For example, we could show the image of a cat and ask the user what animal it is. We can configure the script to approximate this method:

Enter on numbers next security code:

Example:

how does it work?

The script generates an image along with a session id and an md5 hash value. after the post/get, it verifies the code and the variables the previous script generated.

Example:

User: Password:
Security code: equal to:

In the form:

<form method="POST" action="test.cgi">
Usuario: <input type="text" name="user" size="14">
Contaseña: <input type="password" name="pass" size="14"> <br>
Código de seguridad: <input type="text" name="code" size="6">
igual a: <script src="http://skriptke.ltn.net/hv/demo3/hv.cgi?4"></script>
<input type="submit" value="Ok">
</form>

We appended line:

<script src="http://skriptke.ltn.net/hv/demo3/hv.cgi?4"></script>

generates an image with four digits. in addition to the digit generation, the following lines (visible only during execution) are added:

<input type="hidden" name="hv_hash" value="valorhv_hash">
<input type="hidden" name="hv_sess" value="valorhv_sess">

these lines define the variables hv_hash and hav_sess which are verified in test.cgi

the script can be called with input to determine the number of digits: hv.cgi?6 will show the image with six digits; if given no parameter, it will show a number between 4-6 digits.

test.cgi:

...
use CGI;
$q = new CGI;

use Digest::MD5 qw(md5_hex);
my $skey = 'ChangeIt'; # secret key
my $code = $q->param('code'); # user put code
my $session = $q->param('hv_sess');
my $hash = $q->param('hv_hash');
my $expire = 60*2; # seconds expire session

if (time - $session > $expire) {
print "Location: http://skriptke.ltn.net/hv/error_expire.es.htm\n\n";
exit;
}
if ($hash ne md5_hex($code,$skey,$session) ) {
print "Location: http://skriptke.ltn.net/hv/error.es.htm\n\n";
exit;
}

print "Location: http://skriptke.ltn.net/hv/ok.es.htm\n\n";
...

Line "$q = new CGI" enclose on variable $q forwarded values since the form, in some particulars cases will be may use an alternative method to mod CGI to be recollecting parameters.

$skey contain private key, this value have to be the same of hv.cgi configuration.

$code contain security code was clicked by user.

$session contain hv-sess value that is the value of function “time” when it was performer the script that generated image.

$hash contain hv_hash has value.

We was define $expire variable with 120 seconds value, it will be our first verification on line "if (time - $session > $expire)" so we’ll could be use indefinitely. This variable will be constructing according necessities, if the form is extensive you won’t hope user will take only 2 minutes filling it.

Finally, we’ll check the security code is right with line "if ($hash ne md5_hex($code,$skey,$session) )" function parameters "md5_hex" must be equal and in the same order than hv.cgi.

In this example, the form is equivalent to the form, when you will want implement the usefulness and test.cgi equivalent to script to protect, books visits, users registers, logins...

Installation

...

You may change if it necessary, the script hv.cgi extension to hv.pl, will be making changes in cgi.url variable of configuration

Configuration

hv.cgi scripts contain a section calling “CONFIGURATION” with next variables:

$skey
This is private key that we’ll be using, you have to employ the same key after that on the script that use this utility this value is the first that you may change and don´t use to defect “changelt”

$tmp_dir
Directory to temporal archive. Script generate temporal archives that you may have separated for removing, to defect it’s configurate with value'./tmp'.

$img_dir
It’s contain images, to each type of digits in BMP format, each archive contain the digit to showing (0.bmp, 1.bmp, 2.bmp ...) so. Is possible to append more types and major personalization. Create personalize images with graph editor creating
each digit, appending a filter, blurred effect, taint, etc. to disturb the image and then keeping in BMP format, but only admit BMP format, it has to be 8 bits of colour ( 256 colours or grey tones) the type of colour must be the same to each group to 10 digit, wide image could be variable on each digit but stop ever the same.

$top_url
Direction URL without path when the script is showing. It´s used to generate HTML tag of images and check the referring, you don´t have to including the path. There is not value to defect and if you don´t give value script won’t work.

$cgi_url
script path. It´s way installation script, for example /cgi-bin/. it doesn´t have value to detect and you don´t give it right value, script doesn´t work.

$referrer
If you check or not referrer . you may checking the referrer, for example to avoid images discharging from different domains, To defect, value is 0 doesn´t check the referrer.

$max_age
Dead line on caché of images on seconds.

$max_digits
Top number of digits that it showing. Digits numbers are showing parameters in URL of script , so we avoid someone could charge the script with ……. Million of digits? To defect is configurate with a top of 12.

$clear_tmp
If you remove or not temporal archives. Not in all of cases the script removing created archives, and it could be accumulate in time. To defect had value 1 removing temporal archives in period of time (according to value clear_rnd).

$clear_rnd
Removing temporal archives according "1 > rand $clear_rnd". when the script is showing an image could check if there are temporal archives and remove it if proceed.value to defect is 200 according "1 > rand $clear_rnd" sería aproximadamente una vez cada 200 images was show it

$noise
Percent of noise to agree to image. Noise helping to avoid image are reading by an OCR, but It´s not principal function of this variable, it avoid that it ever have the same bits frequency. Not recommend in anyone cases smaller than 10. append top of noise but without disturb totally the image, you could prove different values until to find one to compromise. In the examples of this page we are using value among to 18 and 25) neider was bad idea using something like: $noise = 20 + int rand 10

...

LTN

...