Skip to content

Improve CAPTCHA section in credential stuffing prevention cheat sheet #1871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mackowski merged 5 commits into from
Nov 14, 2025
Merged

Improve CAPTCHA section in credential stuffing prevention cheat sheet #1871

mackowski merged 5 commits into from
Nov 14, 2025

Conversation

@jamielinux
Copy link
Contributor

@jamielinux jamielinux commented Oct 27, 2025

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

  • In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • All your assets are stored in the assets folder.
  • All the images used are in the PNG format.
  • Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #1870.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

  • I have NOT used any AI tool to generate the contents of this PR.
  • I have used AI tools to generate the contents of this PR. I have verified
    the contents and I affirm the results. The LLM used is [llm name and version]
    and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you again for your contribution 😃

@szh
Copy link
Collaborator

szh commented Oct 27, 2025

These are all good recommendations. I haven't heard of friendlycaptcha.com before and it appears to be a commercial offering. That's fine, but I think it would be good to list more than one option, and particularly to include an open source option if there is one.

@szh szh linked an issue Oct 27, 2025 that may be closed by this pull request
Update: Credential Stuffing Prevention #1870
Closed
@szh szh mentioned this pull request Oct 27, 2025
Closed
@jamielinux
Copy link
Contributor Author

jamielinux commented Oct 28, 2025

Thanks @szh for your feedback! Are you suggesting a list of soft recommendations, something like this perhaps?:

Modern CAPTCHAs include open source self-hosted options like X and Y, as well as hosted services with an open source client like Z.

@szh
Copy link
Collaborator

szh commented Oct 28, 2025

@jamielinux yes exactly!

@jamielinux
Copy link
Contributor Author

jamielinux commented Oct 28, 2025

Great, thank you! I've made that change. Let me know what you think ☺️

szh
szh reviewed Oct 29, 2025
View reviewed changes
mackowski
mackowski requested changes Oct 30, 2025
View reviewed changes
@mackowski mackowski requested review from Copilot and jmanico October 30, 2025 12:43
Copilot AI reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the CAPTCHA section of the Credential Stuffing Prevention Cheat Sheet by providing more comprehensive and modern guidance on CAPTCHA implementation. The update expands the section from a brief overview to a detailed guide that addresses current limitations of traditional CAPTCHAs and recommends modern alternatives.

  • Expanded CAPTCHA guidance to address limitations of traditional approaches and recommend modern alternatives
  • Added specific criteria for selecting CAPTCHA services (cryptographic challenges, adaptive difficulty, accessibility, privacy compliance)
  • Included concrete examples of modern CAPTCHA solutions (mCaptcha, Procaptcha, Friendly Captcha)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

jamielinux and others added 2 commits October 30, 2025 12:54
@jamielinux
Update cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md
4bd31dc 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jamielinux
Update cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.md
c4110b6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@jamielinux jamielinux requested a review from mackowski November 11, 2025 08:34
@mackowski
Copy link
Collaborator

mackowski commented Nov 14, 2025

Thanks @jamielinux!

@mackowski mackowski merged commit f64984e into OWASP:master Nov 14, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@szh szh szh left review comments

Copilot code review Copilot Copilot left review comments

@jmanico jmanico jmanico approved these changes

@mackowski mackowski mackowski approved these changes

+1 more reviewer

@andrzejsydor andrzejsydor andrzejsydor approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update: Credential Stuffing Prevention

5 participants

@jamielinux @szh @mackowski @jmanico @andrzejsydor