I was wondering how to set up a system in which an authenticated user could send, with a simple graphical interaction (cliccking a button or so) a non-replayable request/message to the server from an application or a web page.
It's crytical there's must not be a way to set up an automated system that replaces user interaction automating the request as this would totally break up my entire project.
Moreover, as this action must be frequently repeated, it should not implement boring stuff like chaptas or so.
A pratical example: let's say the web page, shown after the login, displays a button that sends the server a request. How can I be sure the request was sent because the user actually clicked the button and it wasn't some sort of bot that forged the message?
Is that even possible to check? I'm sure it is and I'm quite sure there's must be some simple implementation I'm missing, and I'm sorry if this is a trivial question.
Also, if the solution is hiding ('cause I already searched a lot!) out there, please point me to it.
Thanks for your attention.
You could use a non-graphical captcha like a simple question.
Generate a simple addition of two random integers between 0 and 10.
Add a text field to ask for the result.
The result is very easy to find (for a human being), and very quick to type.
Example:
What is the result of 7+5? Write your result here: [_]
It should only block robots and very young or very stupid people.
Related
i have made a simple php contact form following this tutorial:
http://www.catswhocode.com/blog/how-to-create-a-built-in-contact-form-for-your-wordpress-theme
The big problem is that this form processing is not safe, I have heard people can use it to send spam and/or hack my server.
What are the basic steps needed to make this form more secure?
Ps: I don't want to use re-captcha if it can be avoided...
Edit: I need suggestions to what php functions are used to filter and secure that the form is submitted "the right way" and not altered and/or used to hack my site or send email to other people (using the site to send spam to other people). Do i just need to use strip_slashes? or is there a better way?
One way: If you're not a huge site, it's not likely anyone is going to figure this out/take the time to.
You could use some tricky JS to handle tokens on click. So your server issues token-id's to clickable/focus-able elements on the page during the backend render phase. Log these in a database or data file. Then, when users click around and submit, you can compare the id's sent via the onclick() function. You could also apply some heuristics to determine if the history of clicks is reasonably paced. Posts are too fast to be a human or not, that is, even if they scripted the hijacking of the token-ids and auto submitted, you could check that the time between click events appears automated. Signed up for a twitter account lately? They use passive human detection that while not 100% foolproof, it is slower and more difficult to break. Somebody would REALLY want to hack/spam your site.
Important Step 2: strip out/URLEncode strange characters if you think this will break your page. common ones that break things are " and ' and :
Another Way: http://areyouahuman.com/
As long as you are using encrypted methods verifying humanity without crappy CAPTCHA is possible.I mean, don't ignore your headers either. These are complimentary ways.
The key is to have enough complexity to make for an NP-Complete problem. http://en.wikipedia.org/wiki/NP-complete
When the day comes when AI can solve multiple complex Human problems on their own, we will have other things to worry about than request tampering.
http://louisville.academia.edu/RomanYampolskiy/Papers/1467394/AI-Complete_AI-Hard_or_AI-Easy_Classification_of_Problems_in_Artificial
Another company doing interesting research is http://www.vouchsafe.com/play-games they actually use games designed to trick the RTT into training the RTT how to be more solvable by only humans!
Here's a great article on NP-Hard problems. I can see a huge possibility here: http://www.i-programmer.info/news/112-theory/3896-classic-nintendo-games-are-np-hard.html
This is probably a very basic/introductory thing, but let me paint a scenario:
Let's say I'm using jQuery to do some sort of mini quiz game on my site. The user clicks the correct answer, and then a window pops up with a secret "winner's code" that they can redeem elsewhere.
How can I generate the winner's code so that it doesn't just appear in the HTML and in a way that users cannot reverse-engineer it (at least without considerable effort)?
I mean, if I just generated an encoded string containing their username and some sort of additional information only I know, that would work, right? Or MD5 hash or something, but how do I make it so the winner's code itself doesn't appear in the HTML, and only when the correct answer is chosen?
Thank you for any suggested reading/tutorials/assistance/advice you can offer.
If I understood you correctly, you just want the code to appear whenever the correct answer is chosen?
If so, just have a PHP page to which you send the answer the user chose in a GET/POST variable. Then, have that PHP page show the code only if the answer was correct. That way it won't be in the HTML if the answer is incorrect.
So for example, your PHP page would look like:
<?php
if ($_GET["answer"] == "correct_answer") {
echo "give the code here";
} else {
echo "sorry the answer was incorrect";
}
?>
Additionally, if you want the above to appear in a javascript popup or something, fetch it using Ajax.
There are a couple of questions there.
1) How to generate a secure code:
if you are implementing a 'winner code' you could use an hashed iv + secret + user information, or some signing mechanism. You could also implement a code expiry time on the server so that you could further raise the bar, if necessary.
2) Getting the code to the winning user:
If you don't want the code to appear in the html, then you want to use ajax to get it. Then inject the code into the DOM where you want to display it. Further, you should be using a secure SSL channel to do this so that you guard against sniffing. Even further, consider some kind of 'one-time' token so that a man-in-the-middle cannot repost your code request and receive the same win code.
Hope this gives you something to consider.
First of all, for the game to be secure at all, all evaluation of winning MUST be done on a server and all redeemable codes must be uniquely created on the server and sent to the client.
It simply cannot be done on the client in a secure fashion because ALL javascript code is available for inspection by anyone. There are means of obscuring javascript code to make it more of a pain for someone to reverse engineer, but that cannot stop a determined hacker - it can only slow them down or slightly deter them. The only place where your code/algorithms for evaluating the results of the game is safe and free from manipulation is on your server.
Even then, you probably need to do something to keep one user from getting a redeemable code and then sharing it with lots of other people or getting the right answer and then having someone else write a script that submits the right answer to your server to generate limitless codes.
Hopefully this is the right place for this question.
I have done a fair amount of research and yet to find anything that matches what I want. What I'm envisioning is the following. Let me know if any of you know of a program that will do what I want.
Also it must be web-based
anom user -> fills out form ->
email gets sent to admin saying xyz has filled out form abc with links to approve/disapprove request.
admin can also login and edit form and resent results to original submitter. Also once the admin approves/disapproves request the original submitter gets an approve/disapprove email.
and you can search by date submitted, specific project/form, status of request(submitted, approved, disapproved).
any ideas all on where I could find this? I started to look into drupal with workflows and actions but it just doesn't flow right for this
This sounds like you need to program the solution yourself, using something like PHP or ASP.NET (as you specified) as possible technologies, and a backend database like MySQL. If your process takes more than one sentence to describe, the exact system you want usually does not yet exist.
If you don't have the knowledge to code this, it sounds like you will need to hire someone who does. This isn't exactly a specific "how do I do this" programming question; this is a specification for an application, which a competent programmer should be able to turn into a working application for you.
Best of luck!
Currently I'm wondering if there is a way to post to a website using captcha for a human-check. The following question is asked, ofcourse this is done with random numbers:
Type this number in digits; 'twohundredandfive': [ input ]
The form is sent using AJAX. So when reloading the website the number to be typed changes.
A way to get pass this is reading and converting the number, then post some data, but at the second request the number already has been changed (which is good). But IS there a way to avoid this?
Don't think I'm using this for bad intensions, the described form is used in one of my applications. It is just a check to get sure bots can't get pass.
Thanks so far :-)
A CAPTCHA should test whether the entity solving it is human. To my eyes, the problem you are setting looks like it would be fairly trivial to solve algorithmically.
Given that a human can pass the test, then it's certainly possible to write an automated bot which will pass it too. As to whether there is a "back door" which allows access without solving the CAPTCHA, only you can decide that by analysing your source code.
I hate CAPTCHAs. More often than not, they are unreadable to humans as well :)
I heard one Microsoft researcher offer the following scheme: put 4 pictures up, 3 of little puppies, one with a kitten. Ask the user to click the kitten. With a large enough sample base, you can create a random picture/question any time the page refreshes. No one will bother developing an algorithm to analyze photos to that degree.
read this post for another interesting idea.
Converting strings to numbers has already been discussed in another question where many references to the google calculator were given, which does a great job in such conversions, so your approach is not suitable for testing whether your user is human.
As for an alternate solution, I can only link to another great answer.
I'm a Java developer and I have a question about automating a task I've been given.
I'm having to 3 times daily, login to this website we have at work, select a few form elements and then click on submit to get a report printed out.
I'm wondering how I can write some sort of script that will automate this task? Where should I start? What language should I do it in? I was thinking PHP might be able to do this or even a greasemonkey script possibly?
Thanks a lot.
Check out cURL in PHP. It allows you to do all the normal functions of a web browser with code (other than moving the mouse). And yes, you'll need to do screen scraping.
I think the potential sticking point that hasn't been touched on yet is your phrase "login to this website"... Depending on how you need to log in, you may need to go in through a back door to access the report.
I had problems with this kind of thing in the past when I had to download a report from a third party site. The issue was that I couldn't authenticate to access the report parameters because of the hard-coded and less-than-script-friendly way I was required to log in to the site. However, I presume that your site is internal to your organisation, so it may be possible to bypass/rework the security requirements in order to access the data. If this is the case, then you should be able to use one of the screen scraping methods outlined above.
If not, you may need to incorporate the actual login procedure into your script or application, download and capture any cookies that may be set and incorporate them into your data request.
I don't know what language your form is written in, but what you could do is:
rewrite the form to a script which generates the report when called
use a cron entry to schedule this task to be done daily and mail the output to you
A cron is basically a scheduled task on Unix systems. Windows-based servers can use the Task Scheduler to much the same end.
The above assumes that you have access to the script which generates the report at the moment and can modify it / copy it to a new file which will email the output to you. If not, then you may need to look into screen scraping. As you're a Java developer, you may find this list of Java screen scraping utilities handy to get you started.
It's called "web scraping" or "screen scraping", and there are a lot of libraries out there to do this. I couldn't speak to a Java-specific tool, though: I'm a .Net guy (the .Net way would be System.Net.WebClient or System.Net.HttpWebRequest/System.Net.HttpWebResponse). But I'm sure there's something.
In the meantime, the first step is go to the page where you input the form values and view the source of the page. Look for the specific <form> element you're filling out, and see where it posts to (it's action). Then, find any <input> <select>, <textarea> elements you use, including any hidden inputs for the form, and figure out what values you need to get. That will tell you how to build your request once you find a library that will let you send it.
If you need to login to the site first to get to the page, things can be more complicated. You may need to retrieve and parse a session value or be able to send certain cookies to the server.