VIPER Strike: Defeating Visual Reasoning CAPTCHAs via Structured Vision-Language Inference
Minfeng Qi, Dongyang He, Qin Wang, Lefeng Zhang
TL;DR
ViPer tackles the challenging Visual Reasoning CAPTCHAs by decoupling high-precision visual perception from adaptive, prompt-guided LLM reasoning, enabling robust cross-platform solving. The framework uses a structured perception backbone to inventory objects with compound labels and aligns this with NL queries through semantic extraction, integration, and relative-position reasoning, culminating in an image-space coordinate via a dynamic prompt. Across six real-world VRC platforms, ViPer achieves up to 93.2% accuracy and outperforms prior solvers (GraphNet, Oedipus, Holistic), with robustness across multiple LLM backbones. A lightweight defense, Template-Space Randomization, demonstrates reduced solver success, signaling a path toward human-solvable but machine-resistant VRCs.
Abstract
Visual Reasoning CAPTCHAs (VRCs) combine visual scenes with natural-language queries that demand compositional inference over objects, attributes, and spatial relations. They are increasingly deployed as a primary defense against automated bots. Existing solvers fall into two paradigms: vision-centric, which rely on template-specific detectors but fail on novel layouts, and reasoning-centric, which leverage LLMs but struggle with fine-grained visual perception. Both lack the generality needed to handle heterogeneous VRC deployments. We present ViPer, a unified attack framework that integrates structured multi-object visual perception with adaptive LLM-based reasoning. ViPer parses visual layouts, grounds attributes to question semantics, and infers target coordinates within a modular pipeline. Evaluated on six major VRC providers (VTT, Geetest, NetEase, Dingxiang, Shumei, Xiaodun), ViPer achieves up to 93.2% success, approaching human-level performance across multiple benchmarks. Compared to prior solvers, GraphNet (83.2%), Oedipus (65.8%), and the Holistic approach (89.5%), ViPer consistently outperforms all baselines. The framework further maintains robustness across alternative LLM backbones (GPT, Grok, DeepSeek, Kimi), sustaining accuracy above 90%. To anticipate defense, we further introduce Template-Space Randomization (TSR), a lightweight strategy that perturbs linguistic templates without altering task semantics. TSR measurably reduces solver (i.e., attacker) performance. Our proposed design suggests directions for human-solvable but machine-resistant CAPTCHAs.
