Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: OSWC-JsCaptcha

  1. #1
    Join Date
    Jul 2007
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Post OSWC-JsCaptcha

    1) CODE TITLE: OSWC-JavaScript Captcha

    2) AUTHOR NAME/NOTES: Abraham Cohen

    3) DESCRIPTION: Completely JavaScript based Captcha system, backed up by PHP when JavaScript is disabled. I'll certainly appreciate any feedback.

    4) URL TO CODE: http://cid-f2ec12af6507fdb7.skydrive...-JsCaptcha.zip
    Last edited by AbRaMcPIMP; 10-19-2009 at 12:41 AM.

  2. #2
    Join Date
    Jul 2007
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Anyone?

  3. #3
    Join Date
    Sep 2006
    Location
    St. George, UT
    Posts
    2,769
    Thanks
    3
    Thanked 157 Times in 155 Posts

    Default

    When I try to download the script, the link is broken (goes to a different website). I would really like to see this in action.
    "Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music." - Kristian Wilson, Nintendo, Inc, 1989
    TheUnlimitedHost | The Testing Site | Southern Utah Web Hosting and Design

  4. #4
    Join Date
    Jul 2007
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Sorry about that. The link has been updated.

  5. #5
    Join Date
    Jul 2007
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Has anyone ever try it?

  6. #6
    Join Date
    Jan 2008
    Posts
    4,168
    Thanks
    28
    Thanked 628 Times in 624 Posts
    Blog Entries
    1

    Default

    I guess it's fine. But the images should not be labelled: Image_a.png, more something like: dfkjdsf834.png.
    Jeremy | jfein.net

  7. #7
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Javascript cannot be secure.
    It may be possible to make it difficult to determine what is going on, but once that is determined (by reading the script), a bot can easily be programmed to do the same thing and get around the system.

    Additionally you can just turn Javascript off to avoid this-- a javascript-based option to require PHP is not secure, because that can be overridden by faking the Javascript.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  8. #8
    Join Date
    Jul 2007
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Smile

    Quote Originally Posted by djr33 View Post
    Javascript cannot be secure.
    It may be possible to make it difficult to determine what is going on, but once that is determined (by reading the script), a bot can easily be programmed to do the same thing and get around the system.

    Additionally you can just turn Javascript off to avoid this-- a javascript-based option to require PHP is not secure, because that can be overridden by faking the Javascript.
    Thank you for commenting. To the above:
    I knew that before creating the script, that's why I built a security-system inside the script. I think you haven't read the documentation yet..?? If you haven't, please read it asap.
    I also strongly suggest to perform the included security test. There's also more security built-in, that I don't mention in the documentation, but That i tested it with BOTS, that I wrote myself (Both PHP and Js).

    Any more questions, just let me know.

  9. #9
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    It certainly looks like you have attempted to cover all possible hacks, but there is still the issue that javascript can be faked-- whatever security you use in the JS can simply be replaced by whatever the user wants to use and then submit that, as you would, to the server. If you have anything in place to stop this, then it is already using PHP (or another serverside option), so it really defeats the point of the JS. The JS of course can provide a nice interactive interface on top of the php, but that's about it then.
    Regardless, the way the images are chosen is the weakest part-- the filenames, whether random or obvious can simply be stored by a bot (with a bit of user investigation/programming) and the form can be bypassed.

    You've got a lot covered and this would stop most users, but I am not convinced it is entirely secure or that a bot can't be written-- bots aren't random aimless things that wander the web in search of forms to submit, but instead specifically programmed applications designed by humans to bypass security measures like this. Even server side captchas can be defeated like this.

    Though I haven't tested this yet, I am fairly confident that I could write a PHP script that would bypass your script, regardless of how you set it up-- here's a summary:
    1. Grab the contents of your page remotely into a variable in the php.
    2. Parse that string to find where the images are included.
    3. For each image load it into the GD library and compare it to known results (this would simply take some time to store manually, but wouldn't be that much extra work), or perhaps just use md5_file().
    4. Based on the matches of that, just submit the code via post, and that's all.

    For this reason, a system with a single generated image of multiple characters is significantly more secure.
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  10. #10
    Join Date
    Jul 2007
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Post

    To djr33,

    First of all, I would like to thank you for your feedback and comments. I really appreciate that.
    Now to the main discussion. I don't know if I said it already, but I spend like 70% of the creation time, in Security Alone!
    So I know how secure this is against BOTS and other security related issues. I know it's not 100% secure, but nether are other
    Scripts and or apps. Nothing can claim full security, but they can get very close to it. The security topic in this, is very deep so I
    suggest you to take a deeper look at the internal security, by checking out the file OSWC-JsCaptcha_Tools.js

    As for your concern of whether a PHP/Server Side BOT can be written against it, well of course it can, but it can't do anything to this Script
    (Except for a Js BOT, which I already got them covered). The PHP code/BOT that you suggested, would fail completely against this Script.
    It's a bit difficult to explain, but I'll try:

    "The form inside the Js Captcha, submits to a PHP based captcha, that has nothing to do with current Js Captcha (The current page).
    The form submits to that PHP captcha, in case Js is disabled. So upon form submission, your PHP-BOT would simply go to another Captcha page,
    That has nothing to do with the current captcha."

    So I'm certain your suggested PHP Code/BOT, would fail against this Script. I made this Script to prevent most automated BOTS/Hacks.
    I certainly hope that the community can accept this Script for wide implementation, as I think it's very easy and "Secure Enough" to implement in your forms.

    As for the other commenter, that mentioned the Image's names, well you can use whatever image name you like, from simple "Image-A.jpg" to
    Cryptic/Weird names like "23087657dfkjdsf834-A.jpg". But I prefered the simpler name, so I included it as the default.

    I hope you found this informative

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •