Bots can get around this captcha system

[emgram769]

The captcha answer is sent via cookie. What is the point of having a visual verification if the answer is in plain text? You should hash the answer so bots can't simply parse the it and send it back without ever looking at the captcha. Also in your demo use case you don't check for null==null, which would allow a bot to send a forged log in query.

[Capaverde]

Shouldn`t the answer be kept only in the server and only a captcha identifier be sent?

[emgram769]

Yep. Check out line 43, which adds the captcha answer to the session. This is pushing it as a cookie, NOT storing it on the server. The express session module gives the client all the information and a client can simply parse the returned cookie for the answer.

Instead of a captcha identifier, which would require storing captchas, allowing a malicious user to simply request logins without answering and filling up your servers memory, I would suggest hashing the answer with a hidden salt and pushing that to the session.

[Capaverde]

In any case, since this is all in the browser, couldn`t anyone just edit the script to store the answer somewhere before it is hashed? I think it is possible with userscripts

[Capaverde]

oh, nvm, I didn`t know there was canvas in node

[napa3um]

Please sort out yourself, I do not have enough English to explain.

1. server -> picture -> cleint
2. client -> plain text -> server
3. server -> plain text from client == text using for rendering picture? ->
   client

[emgram769]

this is what is actually happening:

1. server -> picture + text using for rendering picture -> client
2. client -> plain text -> server
3. server -> plain text from client == text using for rendering picture? ->
   client

as you can see, I didn't type anything in, the server sent me the picture AND the text using for rendering picture

[napa3um]

I realized what was happening. You use storage sessions in cookies. See the documentation of Express session middleware.
Use the parameter "secret" to call "cookieSession", if you want to hide sensitive data in the session. However, it does not save the data from the substitution. Ie, CAPTCHA is inapplicable if the session is stored in a cookies.

[emgram769]

using the parameter secret is what produces that string at the end in my picture. it only prevents cookie tampering. it does not obfuscate nor encrypt the cookie data itself.

I am using your configuration sample code in the image I provided. I am not sure what you mean by " You use storage sessions in cookies." Does express allow sessions to be stored and manipulated by req.session without cookies?

[napa3um]

http://expressjs-book.com/forums/topic/express-js-sessions-a-detailed-tutorial/
Not use express.cookieSession(). Use express.session() with memoryStore, redisStore or mongoStore.

[emgram769]

I would change your example code or at least make note of those modules. I say this because your module is one of the first results when looking for a node based captcha, but your example code does not provide captcha-like security. Many people won't realize this.

[napa3um]

Indeed, my example is incorrect, copied initialization code without looking. I need to fix.

[napa3um]

Can be done with a session in cookies. Need to use signed cookies and hashing CAPTCHA. Sorry for the very superficial consideration (very busy). I will add this feature.

[napa3um]

Code updated, secure problems fixed.