background preloader

Alternative to CAPTCHA - Protect Web Forms from Spam with Javascript

Alternative to CAPTCHA - Protect Web Forms from Spam with Javascript
What’s the ideal check to protect your web forms from spambots? No one really likes having to copy squiggly letters from a CAPTCHA image, but is there a better alternative? The ideal check would be one that most people don’t ever notice, but which effectively keeps out all spambots. In this tutorial, I describe a technique that uses Javascript to recognise human activity based on screen events, which works very well for us. In a discussion on Scratch Forums on the merits of CAPTCHA, one of our members suggested a possible alternative that detected JavaScript events (mouse events, keystrokes) to show that it’s a human completing the form. I took on the challenge of creating a simple JS-based alternative to CAPTCHA, which I’ll explain below. High-level Requirements Am I Human? First of all, our form will need some way of sending the answer to “am I human” through to the back-end script. For this, I’ll just use a hidden field. Switch it For Humans Testing Results with Script Here’s what I do:

AIPA - Norme provvisorie in materia di sicurezza dei siti Internet delle Amministrazioni Centrali e degli Enti Pubblici Autorità per l'informatica nella pubblica amministrazione - Raccomandazione n. 1/2000Norme provvisorie in materia di sicurezza dei siti Internet delle Amministrazioni Centrali e degli Enti Pubblici Capo I Articolo 1 1. I siti delle Amministrazioni Centrali e degli Enti Pubblici con connessione telematica TCP/IP (Internet), prevedendone la naturale evoluzione verso livelli di sempre maggiore interattività, sono funzionalmente classificati in due tipologie: a) siti di informazione non connessi con sistemi informativi delle Amministrazioni Centrali e degli Enti Pubblici: I) destinati al dialogo con i cittadini mediante dati, notizie, informazioni la cui conoscenza può avere interesse o utilità per chi vi accede;II) caratterizzati da un flusso informativo monodirezionale dall'amministrazione verso l'utente; siti di servizio connessi con sistemi informativi delle Amministrazioni Centrali e degli Enti Pubblici che permettono al cittadino di: 2. Articolo 2 1. 3. Articolo 3 1. Articolo 4 1. Capo II 1.

Common Security Mistakes in Web Applications - Smashing Magazine Advertisement Web application developers today need to be skilled in a multitude of disciplines. It’s necessary to build an application that is user friendly, highly performant, accessible and secure, all while executing partially in an untrusted environment that you, the developer, have no control over. There are many things to worry about when it comes to security on the Web. We’ll skip over denial of service attacks in this article, but take a close look at the other issues. 1. Cross-site scripting is an attack in which a user is tricked into executing code from an attacker’s site (say evil.com) in the context of our website (let’s call it www.mybiz.com). Let’s say that our site allows the user to post cute little messages for the world (or maybe only their friends) to see. To read the message in from the user, we’d have code like this: <? This works only as long as the user sticks to messages in plain text, or perhaps a few safe HTML tags like <strong> or <em>. Hi there... <? 2. 3. 4.

[The Unexpected SQL Injection] Web Security Articles - Web Application Security Consortium Search this site Web Application Security Consortium The Web Application Security Consortium (WASC) is 501c3 non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web. As an active community, WASC facilitates the exchange of ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security. Volunteering to participate in WASC related activities is free and open to all. WASC Projects Interested in application security and want to help?

PHP Security Consortium: PHP Security Guide: Form Processing Spoofed Form Submissions In order to appreciate the necessity of data filtering, consider the following form located (hypothetically speaking) at <form action="/process.php" method="POST"><select name="color"><option value="red">red</option><option value="green">green</option><option value="blue">blue</option></select><input type="submit" /></form> Imagine a potential attacker who saves this HTML and modifies it as follows: This new form can now be located anywhere (a web server is not even necessary, since it only needs to be readable by a web browser), and the form can be manipulated as desired. This makes it very easy to eliminate any client-side restrictions, whether HTML form restrictions or client-side scripts intended to perform some rudimentary data filtering. Spoofed HTTP Requests A more powerful, although less convenient approach is to spoof an HTTP request. The telnet utility can be used to perform some ad hoc testing. Cross-Site Scripting <? <?

Sicurezza e siti web: code injection Dopo aver parlato di sicurezza su web in generale, ed aver osservato l’enorme complicazione che sta dietro alla semplice navigazione di un sito web, ti sarai reso conto dell’impossibilità di poter garantire la sicurezza totale. Ma come realizzatori di siti web possiamo fare molto, partendo dal rendere il nostro HTML più robusto – senza scordarci di Javascript, PHP e tutti gli altri linguaggi che dobbiamo gestire in un sito. Mettere in sicurezza il proprio codice è il primo passo, e quello in cui noi, come realizzatori di siti web, abbiamo maggior controllo (e responsabilità). Come fare? La prima cosa da evitare è pensare esclusivamente in termine di HTML. html/httpjavascriptcssphpsqlshell di comandi/navigazione file systemespressioni regolari In questo incrociarsi e sovrapporsi sta la potenza dei linguaggi del web, soprattutto perchè possiamo stabilire cosa e come incrociare basandoci sulle richieste degli utenti, che possono interagire tramite form, o url, o database. Code Injection

User Registration and Management As noted in the "Software Structure" chapter, the more identified, authenticated, and accountable people are, the better the opportunity for building a community out of an aggregate. Thus the user database should record as much information as possible that might help Person A assess Person B's credibility. As you will see in the chapter on scaling, it may become important to facilitate occasional face-to-face meetings among subgroups of users. Thus it will be helpful to record their country of residence and postal code (what Americans call "Zoning Improvement Plan code" or "ZIP code"). Fat versus Skinny: the Ideas Suppose that the system specifications start off with very simple requirements for the user database, one that can be handled by the following single table: Notice that the comment about password encryption is placed above, rather than below, the column name and that the primary key constraint is clearly visible to other programmers. After a few more months ... User Groups

Related: