New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
At least this bot won't pass.
I also tried to use ChatGPT to generate SVG images, it's stupid from this point of view.
This is at least strange, because it won't even redirect you to HTTPS.
Can you try to manually use https instead of http, please?
It won't pass with the correct answer?
Either I don't know enough English or ChatGPT didn't even recognize a helicopter.
@FlorinMarian, HTTP redirect works fine but not HTTPS endpoint (:443 port seems to silently discard my connection)
301 Moved Permanently
This may be due of your proxy connection + our integration.
I'll investigate further but honestly I don't have too much to lose if proxied connections won't pass.
Are you banning ASNs? https://check-host.net/check-report/13439b75keda
No, some routes are failing all the time according to check-host.net results.
No idea which ISP in the path blocks some hosts during transit.
Finally I figured out the reason:
Looks like firewall issue
@yoursunny will be sad for you
301 Moved Permanently
Fixed.
My nginx config missed
listen [::]:443 ssl;Thanks a lot!
You know what? I already know how to automate bypass!
I specified from the very beginning that I know this vulnerability and I will address it by randomizing both the solution ids and the name of the image offered as a solution.
OK but why you have pushed vulnerable and easily exploitable protection to the production?
Because a vulnerable code is better than nothing.
Also, you guys will help me to do my best:)
Well I believe you should check out nginx testcookie and use SlowAES as a form of basic PoW. It does not require any action from user and is heavy for the attacker to pass (for sure it could be automated BUT you need enormous amount of computational resources wasted for passing challenge). Alsl we have integrated it with crowdsec to automatically ban attackers IP address (temporarily for sure, 10 minutes is sufficient). For more effect, sending abuse complaints (may remove some infected devices from a proxy botnet). Things like Tor can be ultimately blocked and redirected to a .onion (it is computationally harder for an attacker to connect to a .onion than to clearnet resource both over Tor).
When our website was targeted several times these measures helped us to successfuly mitigate all attacks and no customer complained since its introduction back several month ago.
Fixed both appearance & image name
Implement automatic IP address ban and wait for DDoS attempts, this is the only way to check how good this protection is
That's enough for today.
Regarding PoW DoS protection, I was thinking about something simpler than SlowAES, like a recursive fibonacci + a random operation.
VERY easily precomputed on a beefy server once and reused as many times as needed
Hey!
Feburary is fast approaching when I will have to present my bachelor thesis, so..
Bot protection was upgraded today and we increased the difficulty level with two important changes:
1. There are no more plaintext ids for possible solutions
2. The random IDs generated for the possible solutions are unique for each user, but here too there is dynamism, as the ID is only valid for 24 hours.
Will you be selling this technology?
I will ask for the copyright when I hand over the project to the faculty, but not for the purpose of direct selling.
I plan that in the future I will also offer webhosting and offer this level of security for free to my clients, but without direct access to the source code, of course, but in the form of a proxy, as was thought.
Then, whether your question was ironic or not, maybe financially what this mess does is not worth much, but for me it means a lot since I've been dreaming about it for a year but never with the motivation to put into practice what I was thinking.
I've just spent the last hour trying to create something to solve your captcha. It's impressive how you always modify the JavaScript code and keep the challenge ID there.
I managed to make something to solve POW captchas, but making something to solve your captcha made me kill myself. Good job.
@sillycat
Try 10 minutes with AutoHotKey
I was Playing PokerStars with it a decade ago.
It can recognize images, click, drag, and knock on Frorin's door at a late spooky hour. Layer 7 my dick.
A bit of challenge misunderstanding UPD. Ah, I got it - correctSolution is a color image, not a monochrome one.
However, there is still a vulnerability - images are not randomized and attacker can create array of SVG images pair
business genius
I could leave JS 100% clean without any impact.
You will never know what id should be used in an automatic manner.
To complicate this solution I just have to add a few more images and track how many tries you have. Like, if you have two fails => at third you're banned for a few minutes. But is not required (yet) even if simple to implement something like this.