How to modify bitrix captcha?

Good afternoon, colleagues.
Some time on the site Bitrix 15.6.8 began to appear fake users generated by bots. Viewing the results revealed the trouble that the standard captcha, it seems, has a problem with security. Once is enough to look at the captcha and constantly expose to the form and captcha_word captcha_code. Because the password is not changed for each captcha separately, then the attacker can easily quickly sasamat website substituting these two fields to valid in advance.
Now I just change the password in a captcha once a day, but I would like to do for each captcha your password. For example adding to the current password captcha autogermana "salt" (like "QWERT"), which pass through the form parameter.
Maybe someone have ideas on this score?
August 19th 19 at 22:58
3 answers
August 19th 19 at 23:00
Captcha Bitrix is used only once. After successful verification it will be deleted. You probably something in the code messed up
Ha, I thought so too! To create the same captcha, it is enough to request a picture ID captcha_code, and a new/old captcha is created and is based! - Rachel_Hammes commented on August 19th 19 at 23:03
August 19th 19 at 23:02
As an alternative solution, you can buy a module recaptcha. Marketplace was seen in the area of 1K worth.
August 19th 19 at 23:04
I will share my solution. Did the captcha of Russian letters. And replaced the font such that it was difficult to recognize bots, such as L and P look almost the same.
example b940415b1feb46a49c68e95cf1648671.jpg
No, it's not the problem. The problem is that you can endlessly substitute already detected captcha!
The algorithm is this:
1) pick up an authorization form on the server generated session
2) taking the already known captcha captcha_code we just eyes found captcha_word, the server re-generates the record in a table for our old captcha (we do not care what captcha is generated server when issuing form)
3) send the form with our session and tampered with and captcha_word captcha_code
4) the user was left to go in the mail and activate accouny - Rachel_Hammes commented on August 19th 19 at 23:07
if you change the captcha in Cyrillic will change pairs captcha_code captcha_word and I think are unlikely to collect them from your site. - Rachel_Hammes commented on August 19th 19 at 23:10
: I think I've found a way out. Just throw a captcha Bitrix how shitty And supply - https://www.phpcaptcha.org - darron.Jakubowski71 commented on August 19th 19 at 23:13

Find more questions by tags 1C-Bitrix