Visual Captcha is automatable which defeats the purpose of CATPCHA

[Gyaani]

My development team recently implemented Visual Captcha solution. I am a tester in the team and I was able to automate Visual Captcha recognition. My development team is therefore currently working on an alternate solution to enhance the Visual Captcha so it can't be automated. Here is how I automated it.

What development team implemented:

1. The application that I tested uses Visual Captcha to present a challenge question and 5 possible answer images asking the user to click the right image.
2. The challenge question is presented as an image.

Pre-requisites for test automation:

1. Install teserract (or any OCR tool)
2. Download compare.exe (or any image comparison tool)
3. Go to the application and save around 30-40 different challenge answer images in a folder and give them proper names. For example, if you are saving the Chair answer image, call it Chair.jpg. Similarly save at least 30-40 images with file names that match answer.

How I automated Visual Captcha recognition:

1. I use the automation script to save the challenge question as a file
2. Then the script makes a call to tessearct command line utility to read the challenge question from this saved file and get the text out of it. Let's assume that the challenge question was "Please click or select Chair"
3. From script save all the 5 answer images presented on screen as Image1.jpg, Image2.jpg, ...Image5.jpg
4. Call compare.exe command line utility from script and compare Image1.jpg with all the images saved in repository earlier in a loop till you get a file that matches 100% or till all files were scanned. If you found a file that matched 100% then that file name is the answer for the image shown to you. Let's assume this image was Plane.jpg. This does not match my challenge question which is Chair. So go to step 6
5. Continue comparing Image2.jpg, Image3.jpg, etc and see if any of them match Chair. If none of them match then hit refresh button to get new set of CAPTCHAs and retry
6. When I ran the script around 100 times, I was able to get a success rate without hitting refresh button almost 80%. For the remaining 20% where script was not able to get a good comparison, the script just hits refresh button and tries again and usually succeeds second time. Script never had to try more than 3 times and always got 100% success

Here is the C# code that I used to do this automation.

Code to read text from image: public void ThenIGetTheIconInformationThatWebsiteWantsMeToClick() { string RepositoryPath = @"\mir\ECommDev\CAPTCHARepository\"; string FileToDecipher = "Question1.png"; Process pProcess = new Process(); pProcess.StartInfo.FileName = @"C:\Windows\System32\cmd.exe"; string ProcessArgs = @"/c tesseract " + RepositoryPath + FileToDecipher + @" " + RepositoryPath + @"Utils\CAPTCHAQuestion"; pProcess.StartInfo.Arguments = ProcessArgs; pProcess.StartInfo.UseShellExecute = false; pProcess.StartInfo.CreateNoWindow = true; pProcess.StartInfo.RedirectStandardOutput = true; pProcess.Start(); string[] lines = File.ReadAllLines(RepositoryPath + @"Utils\CAPTCHAQuestion.txt"); string CAPTCHAQuestion = lines[0].ToUpper().Trim(); Console.WriteLine("CAPTCHA Question is: " + CAPTCHAQuestion); }

Code to compare answer image with repository image:

    public void ThenIRecognizeAndGetImageInfoOrRefreshUntilIGetAnImageThatIRecognizeAndClickIt()
    {
        string RepositoryPath = @"\\mir\ECommDev\CAPTCHARepository\";
        string fileToCompare = @"Answer6.png";
        string[] fileEntries = Directory.GetFiles(RepositoryPath + "Repo");
        string strOutput = "";
        decimal bestMatch = 0;
        decimal toleranceLimit = 60;
        decimal currentMatch = 0;
        string matchedfile = "";
        string recognizedObject = "";
        foreach (string fileName in fileEntries)
        {
            Process pProcess = new Process();
            pProcess.StartInfo.FileName = RepositoryPath + @"Utils\Compare.Exe";
            pProcess.StartInfo.Arguments = RepositoryPath + fileToCompare + " " + fileName;
            pProcess.StartInfo.UseShellExecute = false;
            pProcess.StartInfo.CreateNoWindow = true;
            pProcess.StartInfo.RedirectStandardOutput = true;
            pProcess.Start();
            strOutput = pProcess.StandardOutput.ReadToEnd();
            if (strOutput.IndexOf("Difference is ") > -1)
            {
                strOutput = strOutput.Replace("Difference is ", "");
                strOutput = strOutput.Replace("%", "");
                currentMatch = (100 - Convert.ToDecimal(strOutput));
                if (currentMatch > bestMatch)
                {
                    matchedfile = fileName;
                    bestMatch = currentMatch;
                }
            }
        }
        if (bestMatch >= toleranceLimit)
        {
            matchedfile = matchedfile.ToUpper();
            recognizedObject = matchedfile.Replace((RepositoryPath + "Repo").ToUpper(), "");
            recognizedObject = recognizedObject.Replace(@"\", "");
            recognizedObject = recognizedObject.Replace(".PNG", "");
        }
        else
        {
            recognizedObject = "TRY ANOTHER IMAGE";
        }
        Console.WriteLine("CAPTCHA Answer is: " + recognizedObject);

    }

[Gyaani]

To prove that its automatable I have also automated the Visual Captcha recognition in http://demo.visualcaptcha.net/?status=validImage Script achieves 100% recognition. Can show demo of script execution if needed or share a video. Please let me know

[BrunoBernardino]

I believe this can be beaten by https://github.com/emotionLoop/visualCaptcha/issues/2

Also, the message of validation in the demo doesn't mean the image was valid. Showing the success message is something handled by the front-end, as that is just a demo.

[BrunoBernardino]

Closed by what closed #2