0

According to this question, and the first answer How to simulate a click with JavaScript? , it is possible to simulate a click/focus on a form field on the client side.

I am wondering if there is a way to block the ability of a client-side simulated field focus/click, while still allowing a 'human-click/focus'. The technique should be able to block a form field click/focus, and/or a submit button click. The technique should be 'general-purpose', effective in blocking any client-side automated focus/click other than by an actual human.

The purpose is to block a client-side attack on a form on a site. I don't want to implement a "I'm not a robot" type reCaptcha.

Any ideas?

Rick Hellewell
  • 1,032
  • 11
  • 34

1 Answers1

0

You cannot prevent against that.

Someone who wants to automate this can simply run Selenium WebDriver, which is an automation tool that allows them to simulate a real user, not run JavaScript APIs, but use special browser APIs to do things that even normal JS cannot do, like finding a file in the user filesystem and using it for file upload, something just plain JavaScript cannot do for security.

If all you want is to ensure no script has been injected in the page from other domains, you can use CORS and CSRF. Check this Mozilla guide on that https://developer.mozilla.org/en/docs/Web/Security/Same-origin_policy

Meligy
  • 35,654
  • 11
  • 85
  • 109
  • Assume that a form had a randomly-named hidden field (each page load gives that field a different name), and that the response page checked for that random-named field, and disallowed form processing if that check returns false. The 'WebDriver' wouldn't be able to 'process' that form. (Of course, now that I think further, how would you tell the processing page about the randomly-named field....) – Rick Hellewell Sep 01 '17 at 19:45