What is a CAPTCHA puzzle? - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

What is a CAPTCHA puzzle?

AWS WAF provides standard CAPTCHA functionality that challenges users to confirm that they are human beings. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA puzzles are designed to verify that a human is sending requests and to prevent activity like web scraping, credential stuffing, and spam.

Each CAPTCHA puzzle includes a standard set of controls for the end user to request a new puzzle, switch between audio and visual puzzles, access additional instructions, and submit a puzzle solution. All puzzles include support for screen readers, keyboard controls, and contrasting colors.

A typical visual puzzle requires interaction to complete a specific part of an image, as shown in the following screenshot.

A screen contains the title "Solve the puzzle" and the text "Place a dot at the end of the car's path". Below the text is a maze-like image in black and white with a car and the car's path outlined in green. At the bottom of the screen are options to load a different puzzle, toggle the information box into and out of view, toggle to an audio puzzle, and change the language. Also at the bottom is the button "Submit".

AWS WAF CAPTCHA puzzles are designed to be intuitive across multiple geographic regions. The default puzzles rely on visual elements and various forms of computer interaction. AWS WAF CAPTCHA includes alternative audio-based puzzles for users with visual impairment. This guidance is provided in English only. The puzzles meet the requirements of the Web Content Accessibility Guidelines (WCAG). For information, see Web Content Accessibility Guidelines (WCAG) Overview at the World Wide Web Consortium (W3C) website.

The audio puzzle option provides background noise overlaid with instructions in English about text that the user should type into a text box. The following screenshot shows the display for the audio puzzle choice.

A screen contains the title "Solve the puzzle" and the text "Click play to listen to instructions". Below the text is an image that shows a Play button. Below the image is the text "Keyboard audio toggle: alt + space". Below is a title "Enter your response" with a text entry box below it. An open information box has the text "Solve by listening to the recording and typing your answer into the text box." At the bottom of the screen are options to load a different puzzle, toggle the information box into and out of view, and toggle to a visual puzzle. Also at the bottom is the button "Submit".

The written instructions for the puzzles is available in multiple languages. The CAPTCHA puzzle starts with the client browser language, and provides the option to change the language through a dropdown menu. The written instructions for CAPTCHA puzzles are available in Arabic (ar-SA), simplified Chinese (zh-CN), Dutch (nl-NL), English (en-US), French (fr-FR), German (de-DE), Italian (it-IT), Japanese (ja-JP), Brazilian Portuguese (pt-BR), Spanish (es-ES), and Turkish (tr-TR). In JavaScript clients, you can change the default starting language if you implement the CAPTCHA client application APIs. For information about this option, see AWS WAF JavaScript integrations.

CAPTCHA puzzles are intended to be fairly easy and quick for humans to complete successfully and hard for computers to either complete successfully or to randomly complete with any meaningful rate of success. CAPTCHA is commonly used when a Block action would stop too many legitimate requests, but letting all traffic through would result in unacceptably high levels of unwanted requests, such as from bots.

CAPTCHA can't weed out all unwanted requests. Many CAPTCHA puzzles have been solved using machine learning and artificial intelligence. In an effort to circumvent CAPTCHA, some organizations supplement automated techniques with human intervention. In spite of this, CAPTCHA continues to be a useful tool to prevent less sophisticated bot traffic and to increase the resources required for large-scale operations.

AWS WAF randomly generates its CAPTCHA puzzles and rotates through them to ensure that users are presented with unique challenges. AWS WAF regularly adds new types and styles of puzzles to remain effective against automation techniques. In addition to the puzzles, the AWS WAF CAPTCHA script gathers data about the client to ensure that the task is being completed by a human and to prevent replay attacks.