No CAPTCHA reCAPTCHA

CAPTCHA-cartoonHow many times you feel affronted while reading those stupid numbers or words and re-entering it just to prove that you are a human. We call them CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart) and recommend it to avoid several kind of flooding attacks, brute force attacks and sometimes even for CSRF attacks.
It’s time-consuming as well as frustrating.

2014-12-04 20_50_15-recaptcha - Google SearchBut as always, Google thought to add some convenience to your annoyed eyes. Google has re-introduced the CAPTCHA with a full makeover to it. This new CAPTCHA is just a single click in the check-box telling “I’m not a robot”.

So instead of CAPTCHA or reCAPTCHA, we have now No CAPTCHA reCAPTCHA and this is how it looks.Recaptcha_anchor@2xOn websites using this new API, a significant number of users will be able to securely and easily verify they’re human without actually having to solve a CAPTCHA. Instead, with just a single click, they’ll confirm they are not a robot.

According to Google,

While the new reCAPTCHA API may sound simple, there is a high degree of sophistication behind that modest checkbox. CAPTCHAs have long relied on the inability of robots to solve distorted text. However, our research recently showed that today’s Artificial Intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy. Thus distorted text, on its own, is no longer a dependable test.

To counter this, last year we developed an Advanced Risk Analysis backend for reCAPTCHA that actively considers a user’s entire engagement with the CAPTCHA—before, during, and after—to determine whether that user is a human. This enables us to rely less on typing distorted text and, in turn, offer a better experience for users.

However, Google also made it clear that CAPTCHA will always be present in case if risk analysis engine can’t confidently predict whether a user is a human or an abusive agent, in such scenarios it will prompt a CAPTCHA.

The No-CAPTCHA is also meant to be more mobile friendly, so instead of having to squint your ayes for some blah-blah text or numbers on your phone’s small screen, you’ll be able to match pictures instead. For example, you may be prompted with a picture of a Lion and be asked to select all the other pictures on the page that show the same animal. Isn’t it cool !!

Google is helping users to get past security barriers faster and with less frustration and adding a lots of work to do, for the hackers.

Advertisements

SQL Injection- Not a Cup of Cake

What is SQL Injection:

I have gone through many SQL Injectioimagesn tutorials before writing this post. One thing was common at every place, the queries coming from the readers. Many people don’t know what actually SQL Injection is. They think that they can easily enter into the database and make some changes, or they can simply inject some query and will have the username and password of the administrator. Well !!! Till some extent the concept is true but it is not that much easy.

So first we need to learn what is SQL Injection or better we should know what is SQL… SQL, the Structured Query Language, is the standard to access databases. Most web applications today use an SQL database to store persistent data for the application. It is likely that any web application you are testing uses an SQL database in the backend. Like many languages, SQL syntax is a mixture of database instructions and user data. If a developer is not careful, the user data could be interpreted as instructions, and a remote user could perform arbitrary instructions on the database. So, whenever we want any data to be accessed from any application our request goes in the form of SQL queries. Suppose for example, in any online library if we want to access any particular book then our request will go in form of following language,

 "SELECT booktitle FROM my_library WHERE " + " bookname=' " +SQLtutorial+ " ' ";

So, in the above case the application takes the bookname from the user and searches it in the TABLE named my_library and if after matching returns that particular page. So it means if that particular name doesn’t match it should not return anything, but in actual scenario there is nothing stopping an attacker from injecting SQL statements in the bookname field to change the SQL query. Let’s re-examine the SQL query string. Continue reading