The reason that I started to write this blog post is because Andy Glover initiated the topic about CAPTCHA testing on Twitter. I had already written about captcha in one of my blog post here but, that was part of other title and very less was covered in it. That is why I thought of writing a dedicated blog post on CAPTCHA testing which is dedicated to Andy Glover (Don’t you know him? He is great cartoonist with respect to Software Testing. Check out his blog at http://cartoontester.blogspot.com/ – I love his cartoons and I am pretty sure that even you will). Below is a list of test ideas for testing CAPTCHA (Avoid spamming by bots while humans can still continue to spam even if there is CAPTCHA).
Functional / Usability / Accessibility
- When the CAPTCHA is not entered, there should be a client side validation which displays error message on submission of the form.
- CAPTCHA entry should be case sensitive.
- All the data of the form fields should be retained if error is occurred for CAPTCHA text field.
- There should be a link (AJAX) which reads like, “Refresh the text in CAPTCHA”. That would help end-users in refreshing the captcha characters because they were not comfortable in understanding some characters in the current image.
- There need to be audio support if the website is supported even for blind end-user or even partially blind end-users.
- Too much background noise might even spoil the comfort in listening to audio captcha. It is good to consider opinion of audio captcha from many people. Considering partially blind and blind people to listen to it might be an awesome idea.
- If web service is being used and is fetched from another server, it is important to see whether it is rendered smoothly in sync with the other form components and web page elements. In my experience, I have seen captcha being loaded after few seconds, after all page elements are displayed which gave me a feeling that there is nothing to be displayed and whole thing is completely loaded. Then, later suddenly it displays giving an odd feeling.
- Proper TAB indexing should be done even for captcha text field. I have experience where reCaptcha was used in registration form and TAB indexing was missed for it. Then I suggested to the developer to fix that as there is option by reCaptcha Google to provide tab indexing option.
- CAPTCHA images should not reveal absolute path names. Usage of web services is a good idea, just like reCaptcha.
- Do not have cyclic fashion captcha images. Like 1 to 100 and then again 1 to 100. Easy to crack. It is good to have some algorithm which generates huge number of captcha images using image libraries.
- Usage of background noise in the image, different textures, and different angle of displaying the characters might be a good idea to make it difficult for some captcha cracking programs like http://free-ocr.com/ and few others.
- Audio to text converters – Use some of these software(s) and see whether they are able to crack the audio captcha or not.
- CAPTCHA should refresh on every wrong entry. Keeping it static might be vulnerable to brute force attack for captcha to bypass it.
- There needs to be server-side validation for CAPTCHA entry. Use Firebug to Inspect Captcha element and then just delete it from client-side. Then, just fill the form without captcha and submit it. If it gets submitted, then there is no server-side validation which is a high risk one. It’s equivalent to not having captcha.
- CAPTCHA with question and answers in plain text and mathematical functions questions in plain text are not recommended in my opinion.
- Combinations of uppercase / lowercase alphabets, numerical, special characters could be used to increase the brute force combinations for CAPTCHA which would turn out to be very difficult to crack CAPTCHA quickly. Hackers usually do not employ brute force for so many numbers of combinations; rather they would hire a human to bypass the captcha manually. Well, yes. There are CAPTCHA breaking services.
- Saving list of questionnaire for CAPTCHA in JS file is easily vulnerable as all the questions could be retrieved easily and assertions could be easily added using some automation tool like Selenium and bypass CAPTCHA. I had seen this vulnerability in check-in service web application Gowalla or Foursquare – I do not really remember which one exactly.
- I had hacked the captcha by getting absolute path names. The images were named like 1.PNG, 2.PNG, 3.PNG…200.PNG. I used DownThemAll and gave range to download all images. Then I just prepared text equivalent of those captcha’s within 1 hour of time and had all 200 captcha equivalent text for those. Then added assertions like, when 1.JPG, enter the corresponding text. Then I was successful in bypassing any captcha.
- This was for Gowalla or Foursquare (Again I do not remember exactly), I was able to remove the CAPTCHA component from client side using Firebug and then submit the registration form without captcha. Guess what? I was able to register successfully. So, server side validation is a MUST.
- In Mozilla Firefox quality.mozilla.org, I saw a Turing test which always had a same question which means same answer. It was surprising to me. I reported it to them and now it is fixed.
- One of the government websites of Indiahad a CAPTCHA which was easily cracked by using http://free-ocr.com/ — I cannot reveal the website name because it has not yet been fixed.
I think I will stop here. I would add any other test ideas that I get in future in the comments section.
Do you have any other specific questions or test ideas? Then comment section is always there. I hope bots do not want to ask questions or say some test ideas. I have got no CAPTCHA. I would not implement it till I see some great work in housekeeping *Giggles*.
I hope you all had a good read. Feel free to share this on Facebook, Twitter or LinkedIn. I do not charge for it. It’s FREE FREE FREE!!! Thanks in advance for sharing. Love you all.
My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.
Latest posts by SanthoshTuppad (see all)
- Mobile App Testing at Test Insane Software Testing Services - September 3, 2014
- Why OCD sucks for me/entrepreneur/anyone? - August 18, 2014
- DIY: SMART TIPS TO TEST! - July 1, 2014