View Full Version : OSWC-JsCaptcha

10-11-2009, 12:42 AM
1) CODE TITLE: OSWC-JavaScript Captcha

2) AUTHOR NAME/NOTES: Abraham Cohen

3) DESCRIPTION: Completely JavaScript based Captcha system, backed up by PHP when JavaScript is disabled. I'll certainly appreciate any feedback.

4) URL TO CODE: http://cid-f2ec12af6507fdb7.skydrive.live.com/self.aspx/OSWC/OSWC-JsCaptcha.zip

10-17-2009, 11:50 PM

10-18-2009, 12:57 AM
When I try to download the script, the link is broken (goes to a different website). I would really like to see this in action.

10-19-2009, 12:49 AM
Sorry about that. The link has been updated.

11-18-2009, 11:03 PM
Has anyone ever try it?

11-18-2009, 11:07 PM
I guess it's fine. But the images should not be labelled: Image_a.png, more something like: dfkjdsf834.png.

11-19-2009, 12:19 AM
Javascript cannot be secure.
It may be possible to make it difficult to determine what is going on, but once that is determined (by reading the script), a bot can easily be programmed to do the same thing and get around the system.

Additionally you can just turn Javascript off to avoid this-- a javascript-based option to require PHP is not secure, because that can be overridden by faking the Javascript.

11-22-2009, 12:27 AM
Javascript cannot be secure.
It may be possible to make it difficult to determine what is going on, but once that is determined (by reading the script), a bot can easily be programmed to do the same thing and get around the system.

Additionally you can just turn Javascript off to avoid this-- a javascript-based option to require PHP is not secure, because that can be overridden by faking the Javascript.

Thank you for commenting. To the above:
I knew that before creating the script, that's why I built a security-system inside the script. I think you haven't read the documentation yet..?? If you haven't, please read it asap.
I also strongly suggest to perform the included security test. There's also more security built-in, that I don't mention in the documentation, but That i tested it with BOTS, that I wrote myself (Both PHP and Js).

Any more questions, just let me know.

11-24-2009, 07:06 AM
It certainly looks like you have attempted to cover all possible hacks, but there is still the issue that javascript can be faked-- whatever security you use in the JS can simply be replaced by whatever the user wants to use and then submit that, as you would, to the server. If you have anything in place to stop this, then it is already using PHP (or another serverside option), so it really defeats the point of the JS. The JS of course can provide a nice interactive interface on top of the php, but that's about it then.
Regardless, the way the images are chosen is the weakest part-- the filenames, whether random or obvious can simply be stored by a bot (with a bit of user investigation/programming) and the form can be bypassed.

You've got a lot covered and this would stop most users, but I am not convinced it is entirely secure or that a bot can't be written-- bots aren't random aimless things that wander the web in search of forms to submit, but instead specifically programmed applications designed by humans to bypass security measures like this. Even server side captchas can be defeated like this.

Though I haven't tested this yet, I am fairly confident that I could write a PHP script that would bypass your script, regardless of how you set it up-- here's a summary:
1. Grab the contents of your page remotely into a variable in the php.
2. Parse that string to find where the images are included.
3. For each image load it into the GD library and compare it to known results (this would simply take some time to store manually, but wouldn't be that much extra work), or perhaps just use md5_file().
4. Based on the matches of that, just submit the code via post, and that's all.

For this reason, a system with a single generated image of multiple characters is significantly more secure.

11-26-2009, 12:03 AM
To djr33,

First of all, I would like to thank you for your feedback and comments. I really appreciate that.
Now to the main discussion. I don't know if I said it already, but I spend like 70% of the creation time, in Security Alone!
So I know how secure this is against BOTS and other security related issues. I know it's not 100% secure, but nether are other
Scripts and or apps. Nothing can claim full security, but they can get very close to it. The security topic in this, is very deep so I
suggest you to take a deeper look at the internal security, by checking out the file OSWC-JsCaptcha_Tools.js

As for your concern of whether a PHP/Server Side BOT can be written against it, well of course it can, but it can't do anything to this Script
(Except for a Js BOT, which I already got them covered). The PHP code/BOT that you suggested, would fail completely against this Script.
It's a bit difficult to explain, but I'll try:

"The form inside the Js Captcha, submits to a PHP based captcha, that has nothing to do with current Js Captcha (The current page).
The form submits to that PHP captcha, in case Js is disabled. So upon form submission, your PHP-BOT would simply go to another Captcha page,
That has nothing to do with the current captcha."

So I'm certain your suggested PHP Code/BOT, would fail against this Script. I made this Script to prevent most automated BOTS/Hacks.
I certainly hope that the community can accept this Script for wide implementation, as I think it's very easy and "Secure Enough" to implement in your forms.

As for the other commenter, that mentioned the Image's names, well you can use whatever image name you like, from simple "Image-A.jpg" to
Cryptic/Weird names like "23087657dfkjdsf834-A.jpg". But I prefered the simpler name, so I included it as the default.

I hope you found this informative :)

11-26-2009, 04:54 AM
It looks like you have done very well making a strong captcha with Javascript, but I still don't see the point in using Javascript instead of PHP (especially when PHP is required for the fallback). The main way that a bot can beat a system is by understanding the captcha, so once a bot is programmed to work around all of the complexities of your system it will end up doing more or less what you programmed the original Javascript to do. For this reason, having hidden PHP is what makes captchas secure (unless a bot is actually programmed to read the image). There can be as many layers as you'd like, and this will make it very hard indeed to get around it, but once all of those layers are confronted by a bot it will be no harder for that bot to get around it than without the layers. Javascript is openly accessible to a bot and while it won't be able to figure it out by guessing it will be possible to program a bot SPECIFICALLY against it, and this is how many bots work-- a programmer sets up a bit to work around a certain system and it is secure.

A simple "check this box to prove you are human" will stop ALL of these bots, until a human intervenes to add that last routine to the bot's actions. Your setup is the very complex version of this, and a programmar could design a bot to get around it (based on just reading the Javascript and submitting the relevant value just as the Javascript would-- this is based on first observation then copying). Of course your system is actually so complex it may annoy a bot-programmer enough to just move on to another simpler system, but if this were to be on a website of enough value (ie, if it were to be the new standard for captchas on the web), it would be broken with enough work from a programmer to parse the complex Javascript operations.

I'm not that great with Javascript, so I'm not sure about the security holes there (though generally it is harder to predict what people may do than it is to find something creative to do to get around what is blocked), but if there is a PHP option behind it for when Javascript is disabled, this then becomes the weakest link (assuming that is possible to crack, which it is when the images are separate).

I don't mean to sound aggressive about this, but there is a real reason that captchas must be kept serverside: bots can't access the code and can't get around it except to actually break the captcha like a human would. If there is another way to get the value (as there must be in the Javascript, however buried), a bot can just look for that instead (if properly programmed), and the captcha is no longer the obstacle.

Remember the general principle that you are not concerned about the average user, but instead the worst of the worst who will be the ones actually trying to harm your site-- experts who may know more than you do (at least some of them, just by the odds) will be running all sorts of attacks on this system, and if there is a hole they will find it. It doesn't make any difference then if you stop the average user or even most experts, if one or two find a way to program a bot to bypass your captcha.

The safety now is in having not been tested against every possibility, and if the website is lucky it won't be, but if it comes down to it, Javascript will always be less secure than the PHP alternatives.

11-26-2009, 10:02 PM
Thanks again for your comments and feedback.

Well the main reason I wrote this, was because I needed a Very Easy and "Secure Enough" way to implement a captcha into my form/pages.
It all begin when I wrote a simple server side "Tell A Friend" script, but since I wasn't good enough with PHP, I didn't add a "Captcha Validation",
So later on I got a letter from my host, saying that their mail server was being abused, due to "to many emails being sent" from my "Tell A Friend Script".
So then I decided, why not use my Js knowledge to create/implement a very easy to use and implement Js based Captcha system, that even users
with only some HTML knowledge could implement. The pro's of such a system are already mentioned inside the documentation.

01-01-2010, 11:20 PM
There's been some mayor updates to the OSWC-JsCaptcha, specifically the further separation from php.
Now to use the PHP and Js version, which is the recommended one, you don't need to change your file to .php anymore.
And because of that, you don't need to insert any PHP code at all. Now it's 95% HTML, with 5% being modifying 2 simple php settings
Inside a completely separate file, which it's settings are througly explained inside the file and the documentation.
The only thing left for complete PHP separation (Leaving it only as a backup for when js is enabled), is finding a way to hide
The "form url" and or the URL where the form submits to.

For the other updates, check out the file "Latest News.txt" inside the zip package.
The complete package (Documentation, Samples, Etc..) is now avialable for online viewing,
@ http://oswc.byethost9.com/OSWC-JsCaptcha/OSWC-JsCaptcha_Documentation.htm
From the above url, you can see the samples, test security, download the zip packages, etc..