Search This Blog

Monday, May 31, 2010

Simple Captcha


Installing SimpleCaptcha is no different than installing most other libraries for a J2EE container: a jar is deployed to WEB-INF/lib and web.xml is updated. These steps are described in detail below.

   1. Download SimpleCaptcha
   2. Copy the jar file to your WEB-INF/lib directory
   3. Add a mapping to web.xml. There are three servlets provided out of the box: StickyCaptchaServlet, SimpleCaptchaServlet, and ChineseCaptchaServlet. All generate CAPTCHA image/answer pairs, but StickyCaptchaServlet and ChineseCaptchaServlet are “sticky” to the user’s session: page reloads will render the same CAPTCHA instead of generating a new one. An example mapping for StickyCaptchaServlet:



The width and height parameters are optional; if unprovided the image will default to 200×50.

   4. Restart your webserver.
   5. Browse to the location given by the url-pattern defined in web.xml, e.g., http://localhost:8080/stickyImg. If everything has been set up correctly you should see a CAPTCHA image.
   6. Now create a JSP called captcha.jsp. Add the following code inside the <body> element:

          <img src="/stickyImg" />
          <form action="/captchaSubmit.jsp" method="post">
              <input name="answer" />

   7. Create another JSP called captchaSubmit.jsp. Add the following:

          <%@ page import="nl.captcha.Captcha" %>
          <% // We're doing this in a JSP here, but in your own app you'll want to put
          // this logic in your MVC framework of choice.
          Captcha captcha = (Captcha) session.getAttribute(Captcha.NAME);
          request.setCharacterEncoding("UTF-8"); // Do this so we can capture non-Latin chars
          String answer = request.getParameter("answer");
          if (captcha.isCorrect(answer)) { %>
          <% } %>

   8. Browse to /captcha.jsp. You should get your CAPTCHA image, as well as a form for entering your answer. Submit the form and see what happens.

Clear Broswer Cache for J2ee

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="Cache-control" content="no-cache"/>
<meta http-equiv="Cache-control" content="no-store"/>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="expires" content="0">

            response.setHeader("Cache-Control", "no-cache");
            response.setHeader("Pragma", "no-cache");
            response.setDateHeader("Expires", 0);
            response.setHeader("Cache-Control", "no-store");

Friday, May 7, 2010

Block Brute Force Attacks

Brute Force Attacks

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack.

An attacker can always discover a password through a brute-force attack, but the downside is that it could take years to find it. Depending on the password's length and complexity, there could be trillions of possible combination. To speed things up a bit, a brute-force attack could start with dictionary words or slightly modified dictionary words because most people will use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks. Brute-force attacks put user accounts at risk and flood your site with unnecessary traffic.

Hackers launch brute-force attacks using widely available tools that utilize wordlists and smart rulesets to intelligently and automatically guess user passwords. Although such attacks are easy to detect, they are not so easy to prevent. For example, many HTTP brute-force tools can relay requests through a list of open proxy servers. Since each request appears to come from a different IP address, you cannot block these attacks simply by blocking the IP address. To further complicate things, some tools try a different username and password on each attempt, so you cannot lock out a single account for failed password attempts.

Blocking Mechanism

* For advanced users who want to protect their accounts from attack, give them the option to allow login only from certain IP addresses.
* Assign unique login URLs to blocks of users so that not all users can access the site from the same URL.
* Use a CAPTCHA to prevent automated attacks (see the sidebar "Using CAPTCHAs").
* Instead of completely locking out an account, place it in a lockdown mode with limited capabilities.

Here are conditions that could indicate a brute-force attack or other account abuse:

* Many failed logins from the same IP address
* Logins with multiple usernames from the same IP address
* Logins for a single account coming from many different IP addresses
* Excessive usage and bandwidth consumption from a single use
* Failed login attempts from alphabetically sequential usernames or passwords
* Logins with a referring URL of someone's mail or IRC client
* Referring URLs that contain the username and password in the format
* If protecting an adult Web site, referring URLs of known password-sharing sites
* Logins with suspicious passwords hackers commonly use, such as ownsyou (ownzyou), washere (wazhere), zealots, hacksyou, and the like (see

Write OWN CAPCHA - Java example


<%@ page import="*"%>
<%@ page import="java.awt.*"%>
<%@ page import="java.awt.image.*"%>
<%@ page import="javax.imageio.ImageIO"%>
<%@ page import="java.util.*"%>
    response.setHeader ( "Cache-Control", "no-cache" );
    response.setHeader ( "Pragma", "no-cache" );
    response.setDateHeader ( "Expires", 0 );
    response.setHeader ( "Cache-Control", "no-store" );

        int width = 75;
        int height = 35;
        Random rdm = new Random ();
        int rl = rdm.nextInt ();

        String hash1 = Integer.toHexString ( rl );
        String capstr = hash1.substring ( 0, 5 );
        session.setAttribute ( "key", capstr );

        Color background = new Color ( 204, 204, 204 );
        Color fbl = new Color ( 0, 100, 0 );
        Font fnt = new Font ( "SansSerif", 1, 17 );

        BufferedImage cpimg = new BufferedImage ( width, height, BufferedImage.TYPE_BYTE_GRAY );
        Graphics g = cpimg.createGraphics ();
        g.setColor ( background );
        g.fillRect ( 0, 0, width, height );
        g.setColor ( fbl );
        g.setFont ( fnt );
        g.drawString ( capstr, 10, 25 );
        g.setColor ( background );
        g.drawLine ( 10, 17, 80, 17 );
        g.drawLine ( 10, 22, 80, 22 );

        response.setContentType ( "image/jpeg" );
        OutputStream strm = response.getOutputStream ();
        ImageIO.write ( cpimg, "jpeg", strm );
        strm.close ();
    catch ( Exception e )
        e.printStackTrace ();

in your jsp

<img src="Cap_Img.jsp" style="height:40px;font-weight: bold;" >

 HttpSession session = request.getSession();
        String key = (String) session.getAttribute("key");

        //update captch to another one to avoid proxy attack
        Random rdm = new Random();
        int rl = rdm.nextInt();
        String hash1 = Integer.toHexString(rl);
        String capstr = hash1.substring(0, 5);
        session.setAttribute("key", capstr);
        System.out.println("Debug key " + key);
        String JCaptcha = getTf_JCaptcha();
        System.out.println("Debug getTf_JCaptcha " + getTf_JCaptcha());
        if (key.equals(JCaptcha)) {
response.sendRedirect ( "yourjsp.jsp");
else {
//your code 

Hit Counter

View My Stats