Wedge
Public area => The Pub => Off-topic => Topic started by: live627 on April 19th, 2012, 06:41 AM
-
http://www.myjqueryplugins.com/QapTcha
This is a very interesting take on user validation. It is a jQuery plugin that generates a random string and puts it into a hidden input. The widget looks and behaves much like the iPod control to unlock it right after you turn it on. Once you slide it to the right, it "unlocks" the form for submission. Once that happens, a session variable is injected and the input element is emptied.
There is one fundamental flaw with it, though: if javascript is disabled, you're out of luck. They even admit it! However, they also note that the server-side validation will then fail, unconditionally.
However half-assed this implementation is, it seems like a nice idea.
-
You're actually relying totally on the bot not spotting this particular CAPTCHA because it is exceptionally to beat programmatically.
See, more fundamentally flawed than the requirement of JS on the client is the way it's implemented. The server portion generates a session value (which it's expecting to find later), and a hidden input is dropped into the page with that in it, and a randomised value to it.
When you drag the thing across, the input is left as it is - but the value is removed. The author is either reasonably clued up, or very lucky at this point, because spam bot behaviour in that case is to smush through forms with values for each field item and see what happens. So, relying on that field being empty is a smart move (and indirectly something Wedge already does, not that you'd know it without looking, heheh)
Consequently you'll have a big-ass input in the code:
<input name="FE4MfmzcGpGngehKeNC9TBqSHgNxrnzb" type="hidden" value="ku@3Msb">
Glancing back over the implementation notes, this is actually intentional behaviour, so the author is smart enough to know that bots just often hamfistedly fill in everything. But it's possible to detect use of this in a single line of code, and not a lot more effort to exclude it going forwards.
Maybe I'm being a bit harsh but I'm thinking: 9 out of 10 for imagination, 4 out of 10 for implementation.
-
Do bots have javascript enabled?
-
Does it matter? The input etc is pushed from PHP, meaning that the information including the key is available without JS.
All the JS is doing is essentially saying 'if the user moves this box to here, *empty out this input*'. There is nothing more that it is doing.
-
Basically a bot could even implement it's own pseudo code to emulate whatever js does.
Too bad eh :)
This should be moved to a private place as it mentions Wedge specific security.
-
it mentions Wedge specific security
::edit: It does.My bad..
-
Basically a bot could even implement it's own pseudo code to emulate whatever js does.
This should be moved to a private place as it mentions Wedge specific security.
-
It does, yes, but it's not as if it's a measure that I'm overly bothered with hiding. A certain pragmatism in me says that the bad guys will go looking for it anyway, and there's no point in hiding this knowledge from white hats when the black hats will find it anyway.
-
Well, this is the thing, it's security by obscurity, and a measure I'm prepared to accept because it isn't a measure that is secure all on its own - but as a facet of a more complex system.
-
I understand (really, I do). The point I was/am trying to make is, don't be afraid to discuss a small part of your security, even in detail. :)
-
Oh, I'm not afraid. I just don't want there to be any illusions about whether this is a 'security' measure or not, you know?
It is a form of anti-bot measure.