This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP PureCaptcha

Jump to: navigation, search
OWASP Project Header.jpg

Welcome to OWASP Pure Captcha project page!

OWASP PureCaptcha

Use CAPTCHAs in your application without any dependencies, no required libraries and nothing to install. Just include a single small source-code file to have fully functional lightweight CAPTCHAs in your project.


CAPTCHA is a feature detecting humans from computers, needed in many aspects of all web applications to prevent bots from flooding and spamming. Unfortunately all existing libraries and APIs require too much effort for a small application to be feasible and maintainable, so a lot of developers just give up on using CAPTCHAs where they are needed. This is due to the fact that generating CAPTCHAs requires a large body of code libraries to be available. It depends on image manipulation (like GD and Imagick), font rendering (Freetype and etc.) SOAP or Curl and etc. each of which are high level libraries and have a lot more dependencies. PureCapthca provides a single source code file which does the entire CAPTCHA generation and handling, because it only includes code for rendering a few alphanumeric letters from scratch, creating simple BMP files from nothing and modifying simple bitmap images.

This allows developers to easily add a single source code file to their projects and reap full CAPTCHA benefits with minimal memory and processing footprint and ZERO dependencies.


Creative Commons Attribution ShareAlike 3.0 License

Apache 2 License

Project Resources


Source Code

Project Leader

Abbas Naderi

Related Projects

OWASP PHP Security Project

CSRFProtector Project


Project Type Files CODE.jpg
Incubator Project Owasp-builders-small.png
Affero General Public License 3.0

News and Events

First version released!

There are basically three operations needed to properly utilize CAPTCHAs:

  • Generating A Captcha

This can be done by the show method of PureCaptcha. It will terminate the current request and return an image to the client.

  • Persisting The Captcha Value

The show method also returns a string equal to the Captcha contents. You need to persist it on the session for the user (preferably for a limited amount of time). The example code shows how this can be done simply in your programming language, but any other persistence layer would be fine. Keep in mind that for every Captcha used inside your application (e.g one for login page, one for password reset page, one for remove user page) you should persist the Captcha separately, so that a user can simultaneously use all your applications functionalities without one Captcha overriding the expected value for the other.

  • Validating The Captcha

It is very important to remove the Captcha from persistence after its validated, whether its wrong or right. If you leave a Captcha persisting after validation, attackers can bypass your Captcha by inspecting it once and then using the same Captcha over and over to send requests to your application. See the example usages for more details.

How Can I Use PureCaptcha?

Just include the source code file in your project, and visit the sample usage files to learn how to properly use a captcha.

How can I participate in your project?

All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.


The first contributors to the project were:


Currently PHP library is available and tested. Porting to all major programming languages is the next step. Since the library is pretty small, this shouldn't be a hard task and can be done in one summer by 1 candidate.

Getting Involved

Involvement in the development and promotion is actively encouraged! You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:


Any programming language you like, you can either port PureCaptcha to or improve the existing code!


Are you fluent in another language? Can you help translate the text strings and documents into that language?


Do you have a flair for finding bugs in software? We want to product a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer your help.


mailing list: TBA

  • What do like?
  • What don't you like?
  • What features would you like to see prioritized on the roadmap?

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: N/A
Purpose: N/A
License: N/A
who is working on this project?
Project Leader(s): N/A
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: N/A
Project Roadmap: Not Yet Created
Key Contacts
  • Contact the GPC to contribute to this project
  • Contact the GPC to review or sponsor this project
current release
last reviewed release

other releases