Dear Reuben, I agree captcha is deterrent even for legitimate traffic. You can use a simple algorithm to capture IP address of the submitted response and validating that ip address for multiple submissions in x minutes or y hours and suspending that particular submission for some time.
You may wish to additionally parameters like browser agent, referrer location, screen resolution and data stored in form cookies to fine tune your algorithm to create unique parameter to validate requests. Regarding suspension or showing user some deterrent message “ you have already submitted “ etc, I would like to recommend creating a spam trap, redirect first submission to production database and all possible spam responses to a spam-trap data base for reason of collecting intelligence to fine tune your algorithm and to manage false positives. Note: All these must be included as server side controls, any control towards user side can be easily rendered useless. Cheers, Tarun Gupta From: <[email protected]<mailto:[email protected]>> on behalf of reuben kurien Date: Thursday, May 21, 2015 at 4:08 PM To: "[email protected]<mailto:[email protected]>" Subject: [OWASP-Delhi] To CAPTCHA or not I would like to know about the current best practises related to the use of rate limiting functions on a web registration form which is customer facing, i.e. on organisation's public page where the use of CAPTCHA is frowned upon by the management due to reduced user experience. If you are working in finance domain you probably would appreciate why CAPTCHAs are not the best approach for a customer facing site.
_______________________________________________ OWASP-Delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi LinkedIn Group: https://www.linkedin.com/groups?gid=89270 Twitter: https://twitter.com/OWASPdelhi
