3

The question is quite broad but I'll narrow it with my use case.

I don't use forms in my sites, just ajax calls to php services. Basically I use stylized spans with "click" events associated, which proceed to an ajax request posting everything to the server.

  • No <form> element,
  • No <input type="submit"> element.
  • If javascript is disabled, well... nothing works (whether or not it is a good thing is not the purpose of this post)

But I still want to be sure no smart$ss bot generates junk with my "forms".

So my question is: do I need a captcha or similar bot protection in this context?

Here is the solution I chose to implement, according to the given answer:

html:

<form id="honeypotform" action="http://whatever.com">
    <input type="text" id="formbody">
    <input type="submit" id="submitbtn" value="Submit">
</form>

css: 

#honeypotform { display: none; }

The real submission link:

<span onclick="do();">Submit</span>

The link action:

function do() {

    if (formbody.value != "") return true; 
    /* ... */
}

I'll follow up with this post to give feedback of my results after a few days.

aynber
  • 22,380
  • 8
  • 50
  • 63
Sebas
  • 21,192
  • 9
  • 55
  • 109

1 Answers1

4

What exactly Bot do: They actually detect all the input elements inside your form and run a script tht fill up the inputs with some valid text and thus filling up the database with false junk entries.

How to tackle this:Its pretty simple and every form validation must follow this pattern. You can always place a hidden input field inside your form and assign it an empty value.

When you validate on the server side,just make sure you get this entry as empty.If it is EMPTY proceed with your insert queries otherwise consider its a BOT attack thats filling up junk entries.

Interesting read:When the bots attack!

Its not a bad idea to enclose your inputs in a form tag without using submit button.(I recommend this)

Just in case if you think about disabling javascript ,your ajax would not work.

It is always a good idea to have a server side validation as PLAN B for a paranoid developer.Quality Work!!!

An example:What you have given is still vulnerable.

<form>
<input type="text" id="name">
<input type="text" id="contact_no">
<input type="text" id="password">
<input type="hidden" id="email">//just seduce the BOT(considering that the bot reads the id or any other attribute to fill up values.Make sure on the server side $("#email").val is always zero..be it on client or server)
<input type="text" id="original_mle">//store this in db after server side validation
</form>

@AndreasBjørn:yes..thats a loophole..I am afraid I would fail if there is a bot specifically designed for my form providing malicious data entries.CAPTCHA seems to be the only solution in this case.

Community
  • 1
  • 1
HIRA THAKUR
  • 17,189
  • 14
  • 56
  • 87
  • When you say `hidden`, I understand that it has to be CSS hidden (according to the link you left in the comments). I'll definitely implement this idea. I wonder if I really HAVE to do it? Do the bots actually click on my javascript links? – Sebas Nov 28 '13 at 19:22
  • the good old way of image captcha,then there is an simple math operation...not fullproof though.. – HIRA THAKUR Nov 28 '13 at 19:23
  • I think it won't work since some bots fakes only `POST` information based in a previous known submit. In some case the bot doesn't need even to make the `GET`. – Vitor Canova Nov 28 '13 at 19:27
  • 1
    If a bot is designed specifically to abuse YOUR form, you can be damn sure none of that will work. Then a captcha-implementation or an even better strategy is necessary. But if you have not been 'targeted' by bots, then it serves little purpose to do more than use the methods @Onaseriousnote mentioned. – AndreasHassing Nov 28 '13 at 19:32
  • When you say plan B is server side validation, say my form is just a few fields which then generates a quote file on my server. What can I do beside checking the length and stuff like that? Things get pretty harsh when it is time to ensure *fonctional* validity of forms' inputs – Sebas Nov 28 '13 at 19:37
  • @Sebas you can validate the data parsed by the form, on the server, by checking the inputs, if they're the proper data type, that they don't have code injected into them and so on. The reason for this, is that it's easy to alter a form to send whatever you want, if you have cruel intentions. – AndreasHassing Nov 28 '13 at 19:49