This blog post was voted as 8th best in Top 10 Web Hacking Techniques of 2011 poll.
With the goal of creating a tool that can help security professionals and developers to test their CAPTCHA schemes, I conducted a research on over 200 high traffic websites and several CAPTCHA service providers listed on Quantcast’s Top 1 Million Ranking Websites.
During the same time frame, students at the Stanford University also conducted a similar research (PDF). Both research works concluded the obvious:
An alarming number of CAPTCHAs schemes are vulnerable to automated attacks.
I looked around, tested and zeroed in on Tesseract-OCR as my OCR engine. To remove color complexities, spatial irregularities, and other types of random noise from CAPTCHAs, I decided to write my own image preprocessing engine. After a few months of research, coding and testing in my spare time, TesserCap was born and is ready for release now.
TesserCap is a GUI based, point and shoot CAPTCHA analysis tool with the following features:
A generic image preprocessing engine that can be configured as per the CAPTCHA type being analyzed.
Tesseract-OCR as its OCR engine to retrieve text from preprocessed CAPTCHAs.
Web proxy support
Support for custom HTTP headers to retrieve CAPTCHAs from websites that require cookies or special HTTP headers in requests
CAPTCHA statistical analysis support
Character set selection for the OCR Engine
An example TesserCap image preprocessing and run on Wikipedia (Wikimedia’s Fancy CAPTCHA) is shown below:
TesserCap and it's user manual can be downloaded from one of the following locations:
The two tables below summarize the CAPTCHA analysis performed using TesserCap for few popular websites and some CAPTCHA service providers. All these tests were performed using TesserCap’s image preprocessing module and Tesseract-OCR’s default training data.
*This accuracy maybe further increased by training the Tesseract-OCR engine for the CAPTCHAs under test.