New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Just adding images won't help you because attacker can cache all variations of your images and save svg+xml values for color-monochrome pairs, and use them when attacking.
I can have thousands of variations:) and to see all of them you'll have to manually change your IP to see (maybe) a new combination.
I doubt you will do all that manually... Using public icons is not a good idea IMO, look at how far hCaptcha went with their challenges (they went so far that they are blurring animals' head and asking user to click on it lol)
Let me know how you plan to make an AutoHotKey botnet.
Reply to @tentor:
1) I've seen three obfuscation methods. One is what you pointed out, the second involves using 'decodeURIComponent(window.atob())', and the third is a weird combo of 'decodeURIComponent(window.atob())' with string manipulation.
2) Your idea might work, but it needs a browser botnet, which is pretty hard to come by. My main aim was to solve everything without relying on a browser.
That would ruin my strategy, which involved attempting each image until the correct one is found.
No, my original idea is based on wrong understanding of how this version works :D
However if it did, used obfuscation is too easy for requiring browser. Only thing you need is to know obfuscation methods in advance.
Fuck you
Maybe it wasn't entirely politically correct to write down that comment in all its subtleties. Yet I think a good Fuck You in this instance conveys the maximum amount if information payload that can easily be digested and understood by the counterparty.
Let me know if you need further clarification, I'll be available for you to further explain myself
Frorin's idea does prevent L7 attacks. Solving one captcha via AutoHotKey does not constitute an attack. That is all that needs to be said.
Their new challenges are now AI-generated. Even worse...
Are they changing it daily?!
Interesting, haven't got attack to our website for a few month already, but as soon as I participated in this discussion someone launched HTTP GET flood at /index.php?rp=/store/kvm-vps
@sillycat: the captcha can be solved at a higher level than its source code. AutoHotKey for Windows is a mock example; AutoKey (notice the different name!!) is an equivalent mock example for linux that can search for patterns on the screen, click, and drag. Either can be packaged in a qemu image, any graphical software can run on a virtual frame buffer, and anything can be in a rootkit. What the fuck of a retort was that.
More pragmatically, Chromium can do the same on its own with puppeteer and with a backend to parse images or canvases.
And is a captcha the proper solution against a botnet? I don't want your answer!
CAPTCHA is definitely one of the ways to distinguish bot and human.
Thank you.