Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I read Captcha data from JavaScript in a secure way?

Tags:

javascript

jquery

asp.net

captcha

We use Captcha control in a registration form that we make full client validation for all fields in JavaScript ( JQuery ) beside server validation ..
I tried a lot of ways but all will write the Captcha value in JavaScript that can be accessed by anyone :(
I search if is there any way that allow me validate Captcha value in client side using JQuery in secure way or it can't be done ?

like image 633
Amr Badawy Avatar asked Jun 06 '10 06:06

Amr Badawy

2 Answers

It cannot be done.

Javascript is client-side, as you know, and any code client-side has to be treated as potentially compromised as you don't have control over it.

At best, you could resort to sending up a salted hash of the value along with the salt, but even that in itself could be used to test guess values before actually submitting it.

Everything else relies on calls to the server.

As per comment request, here's the general idea:

Firstly, on the server, calculate a random string to be used as the salt. This should be roughly unique every request. The purpose of this string is to prevent rainbow table attacks.

Now, saving this string separately, but also create another string that is the concatenation of random string and the Captcha answer. Of this new combined string you generate the hash (for example, SHA-1) of it.

using System.Web.Security;
...
string hashVal = FormsAuthentication.HashPasswordForStoringInConfigFile(combined, "SHA1");

Both the random string and the hash value need to be placed in the page for the javascript to be able to read.

On the client side, when a user answers the Captcha, take the random string and concatenate it with the answer (getting the idea here?). Taking this string, you can use something like the SHA-1 JQuery plugin to hash it and compare it with the pre-computed hash you sent up.

hashVal = $.sha1(combinedString)

If it matches, it is (almost) certainly the correct answer. If it doesn't, then it is 100% the wrong answer.

like image 60
Dan McGrath Avatar answered Sep 24 '22 02:09

Dan McGrath

you could use ajax to post the current value to the server, which would respond true or false. that would keep you from doing a real post and also from giving away the catpcha's value in html.

like image 42
nathan gonzalez Avatar answered Sep 20 '22 02:09

nathan gonzalez
Sign in to Comment

Related questions

How can I use Visual Studio's "Code Snippet" feature while editing a .aspx file?
Caching delegate results
ViewState or HiddenField
Best practices for ASP.NET web application localization [closed]
ASP.NET MVC RC returns wrong path for Url.Content
TinyMCE wraps my text in <p></p>. Can I avoid this?
Best implementation for an RSS feed in C# (ASP.net)
To SharePoint Or Not (as a foundation for application development)(vs ASP.NET)
RadAjaxPanel version of UpdatePanel.Update()?
RegisterStartupScript and order of execution
Static Session Class and Multiple Users
Search order of HttpRequest indexer
Events tab randomly appears and disappears in VS 2008
Clear the cache at a specific time in ASP.NET 2.0
Can you set a JavaScript breakpoint in a UserControl?
Repeater control - Cancel bind for specific item
How to insert a Slash in between a number in asp.net?
How can I disable keep-alive on ASP.NET Web Service client requests?
Managing EntityConnection lifetime
Validate a single property with the Fluent Validation Library for .Net

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!