3

I want to know if it is possible to create a secure human detection mechanism (not using captcha) for a form with just javascript to detect mouse movement since jquery nor operating system code can move the mouse (so Im told).

Here is my plan:

  1. With jQuery I can detect if the mouse has moved, and then allow a form to submit if it has.
  2. I already have cross site scripting enabled so no one can submit directly to the site outside of the webpage, and Im requiring javascript to sumbit the form.
  3. The mouse movement will add a value to the a mouse field in the form and the value is what will determine on the server side that it was submitted by a human.
  4. The mouse field will use some form of algorithm that the mouse movement will seed, then decode it on the server side so a bot can just enter any value into the mouse field.

So Im wondering if there are still holes in this approach or ways for a bot to still bypass it.

Jon
  • 2,236
  • 2
  • 17
  • 19
  • 1
    What if someone overloads the mousemove function? – Travis J Mar 15 '13 at 23:49
  • 3
    What if someone has a program that simulates a mouse, which moves the simulated mouse? – user829323 Mar 15 '13 at 23:49
  • 1
    What if a person uses only tabbing and entering to focus on each form part and then hits enter to submit? – npage Mar 15 '13 at 23:51
  • 4
    What if someone doesn't use a mouse? Screenreader apps for example. – aorcsik Mar 15 '13 at 23:51
  • why not have written instructions that a human can easily perform? For example, show a red, blue, and green dot and tell the user to click the red dot once and the blue dot twice – Jason Mar 16 '13 at 01:03
  • @Jason What about colourblind users? – tc. Mar 16 '13 at 02:31
  • @Jason the number of combinations is small and this is easily robot-parseable. Not talking about blind users ... – Eugene Mayevski 'Callback Mar 16 '13 at 07:36
  • Overloading jQuery's mousemove method is my biggest concern. I just abhor any visible captcha like methods. So if this can stop 99% of indirect bot hacking that better than making a user be required to do anything other than fill in the form. THANKS ALL! – Jon Mar 18 '13 at 02:03
  • @EugeneMayevski'EldoSCorp i would love to have you write a bot that came to my site and had to figure out which dots to click that i randomly generate. are you telling me that's easier than the "what's 2+4?" inputs that people put on the page? as for color blind users, ok, put a number in the dots and say, "click dot 1 twice and dot 3 4 times" – Jason Mar 18 '13 at 17:39
  • @Jason that's doable easily. Per-site, of course (i.e. universal robot won't deal with this "captcha" unless taught) but once it's taught, it will handle the task in a trivial way. There exists a number of anti-captcha *libraries* which you can study to see what and how they do. – Eugene Mayevski 'Callback Mar 18 '13 at 17:56
  • @EugeneMayevski'EldoSCorp yes, of course per-site. there's nothing preventing someone from doing effective per-site bots on any site. good enough OCR code could hack google's CAPTCHA, what's your point? – Jason Mar 18 '13 at 18:02
  • The point is simple - your comment does not make sense. It's not possible to write an instruction set for a human that the robot won't be able to handle. – Eugene Mayevski 'Callback Mar 18 '13 at 18:20

2 Answers2

6

No it is not possible to create a secure mechanism that detects a human by relying on mouse movements. Check out the java.awt.Robot class for just one example of how to hack it using software only. I used this class to write an Easter egg into a program that jacks with the mouse and makes it dance some crazy patterns. The user's loved it ;-) You could also hack it with the USB Rubber Ducky.

Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89
  • 1
    I wasn't aware of any operating system code that could move the mouse That was really what I was trying to discover. Non-the-less unless the site has a direct attack, most bots probably wont implement this style of hacking. And thats a whole lo better than a crappy captcha. – Jon Mar 18 '13 at 01:58
3

Your method relies on something that would be trivial for a bot to do, unless you use mouse movements in some way I've not thought of.

No matter what you are doing with the mouse, at the end of the day, all you are doing is making a value in a form.

I'm not 100% sure how you plan to implement this, but if you are just tracking exact mouse location (which I'm not sure HTML will even let you do, but I could be wrong). A bot would be able to emulate that, either by setting the field to the location where you expect the mouse to be, or by moving a "virtual" mouse by adding the change in x and y to some value.

(This is all assuming that the bot would be able to understand your instructions of course. I'd assume that by writing, in plain text HTML, "Please enter the value '290' in the box below" most bots except one that was written especially for your site will be able to register...)

Ross Brunton
  • 173
  • 5