Click here to Skip to main content
13,347,168 members (55,342 online)
Click here to Skip to main content
Add your own
alternative version


27 bookmarked
Posted 1 Jul 2007

The Image-Based CAPTCHA: Part 2

, 1 Jul 2007
Rate this:
Please Sign up or sign in to vote.
The article continues the topic of image-based CAPTCHAs.


The article continues the topic of image-based CAPTCHAs that was started in my previous article, The Image-Based CAPTCHA. Please look through it in order to get some idea about this article's subject.

Image-Based Bot Detector

I made a control - I named it ImageBasedBotDetector - that implemented the idea stated in the previous article. Its code differs from the example posted before, basically because of the separation of the code that renders the control and the code that renders the CAPTCHA image (it is replaced with an HttpHandler). For use, it needs to set TemplateImageFolder to a path where template images are located, and add the registration of the HttpHandler in the web.config.

  <add verb="GET" path="ImageBasedBotDetector.ashx" 

       type="Marss.Web.UI.Controls.ImageBasedBotDetector, Marss.Web"/>

ImageBasedBotDetector can be used as either a finished control, or as a base control if you want to add your own functionality - the GetTemplateImage and DrawCustom methods are virtual and can be overridden. An example of use you can be found in the demo project #1.

A few answers on your comments

After the previous article publication, I got many comments concerning the reliability of this type of CAPTCHAs. I'll try to systematize and answer them.

  1. It is possible to make a system that can recognize images and find the distorted part.
  2. Quite possible, no doubt. If it is possible to distinguish between a real person and a fake one on a photo, then it can be done for specific distortions on a picture. Most of the text-based CAPTCHAs are also crackable in 90-99% of the cases, but it does not prevent their general use. The fact is that there is no system that can crack everything; a specific implementation is required in every concrete case. Specific implementations mean resources and money. So, don't worry if your site is not as popular as Yahoo! or Google.

  3. A solution that relies on JavaScript is not firm because the script can be disabled.
  4. Sure, this is applicable for about 4% of visitors. But, it is hard to imagine a present-day web application that offers site-to-visitor interaction and does not use JavaScript. Besides, if you use ASP.NET controls, then most probably you already have these visitors excluded.

  5. Insufficient accessibility.
  6. The control now offers three types of distortion: Stretched, Random, and Volute (see picture).




    Also, you can implement your own distortion if you set DistortionType to Custom and override the DrawCustom method.

  7. Possibility to download template images and compare them to an image that is generated by the CAPTCHA.
  8. To avoid pixel-to-pixel comparison, an original image is slightly distorted too. As for more complicated comparisons, read paragraph #1.

    Besides, a reconstruction of template images set can be avoided if you don't use any images set. It sounds strange, but actually it is rather simple. The basic principle is that though images of specific themes are required, there is no need to sort them manually. So you can use a search engine, for example Google Images search. Select a theme, for example, "Landscape", and choose the appropriate search keywords. Then, override the GetTemplateImage method.

    public class AdvancedImageBasedBotDetector : 
      //search request pattern
      private const string requestPattern = 
        "" + 
      protected override System.Drawing.Image GetTemplateImage()
        //search keywords 
        string[] keywords = new string[] { "forest", "mountains", "waterfall", 
                                           "falls", "hills", "lake"};
        Random r = new Random();
        //build request url based on keyword that was selected in a random way
        string url = string.Format(requestPattern, 
                            keywords[r.Next(0, keywords.Length)], r.Next(0, 50));
        HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
        using (HttpWebResponse resp = (HttpWebResponse)req.GetResponse())
            if (resp.StatusCode == HttpStatusCode.OK)
                string html;
                using (StreamReader sr = new StreamReader(resp.GetResponseStream()))
                    //get content of the search results page
                    html = sr.ReadToEnd();
                Regex re = new Regex(@"dyn\.Img[(](?:""([^""]*)""[,)])*", 
                MatchCollection matches = re.Matches(html);
                if (matches.Count > 0)
                    //select one of the image urls found on the search results page
                    Match match = matches[r.Next(0, matches.Count)];
                    string imageUrl = string.Format("{0}?q=tbn:{1}{2}",
                    //get image
                    HttpWebRequest req2 = (HttpWebRequest)WebRequest.Create(imageUrl);
                    using (HttpWebResponse resp2 = (HttpWebResponse)req2.GetResponse())
                        if (resp2.StatusCode == HttpStatusCode.OK)
                            System.Drawing.Image im = 
                            return im;
        //use default implementation if getting template image failed for any reason
        return base.GetTemplateImage();

    A working example can be seen in the demo project #2 or on my site.

  9. What is this necessary for?
  10. If the answer "pleasant variety" does not suit you, then - I guess - it may to say that this type of CAPTCHAs are more user friendly (one mouse click vs. typing 5-6 letters).

That is all. Start to criticize :).

Other Links


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Mykola Tarasyuk
Software Developer (Senior)
Ukraine Ukraine
I'm a software developer from Ukraine. I write about ASP.NET and other .NET related topics over at

You may also be interested in...

Comments and Discussions

GeneralToo crackable Pin
reinux2-Jul-07 12:01
memberreinux2-Jul-07 12:01 
As far as a bot is concerned this algorithm is analogous to a CAPTCHA whose challenge is "find the character X in this picture". It can be cracked by a generic CAPTCHA cracking algorithm used for text-based CAPTCHAs:
1. Edge detect by shifting 1px and then negating the difference.
2. OCR[^] to detect the distortion design.

Unfortunately with this algorithm, the harder it is for a particular image to be seen by a bot, the harder it is for a human to see it as well, thus defeating the purpose of the CAPTCHA.

As for avoiding image comparison, Hausdorff image matching[^] would make images identifiable even if they are slightly distorted. Storing the image in a database wouldn't make any difference; a lot of bots use the MSIE DOM API to retrieve data from webpages in practically the exact same way that users see them.
GeneralRe: Too crackable Pin
Mykola Tarasyuk2-Jul-07 23:10
memberMykola Tarasyuk2-Jul-07 23:10 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.180111.1 | Last Updated 1 Jul 2007
Article Copyright 2007 by Mykola Tarasyuk
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid