-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bots can get around this captcha system #9
Comments
Shouldn`t the answer be kept only in the server and only a captcha identifier be sent? |
Yep. Check out line 43, which adds the captcha answer to the session. This is pushing it as a cookie, NOT storing it on the server. The express session module gives the client all the information and a client can simply parse the returned cookie for the answer. Instead of a captcha identifier, which would require storing captchas, allowing a malicious user to simply request logins without answering and filling up your servers memory, I would suggest hashing the answer with a hidden salt and pushing that to the session. |
In any case, since this is all in the browser, couldn`t anyone just edit the script to store the answer somewhere before it is hashed? I think it is possible with userscripts |
oh, nvm, I didn`t know there was canvas in node |
Please sort out yourself, I do not have enough English to explain.
|
I realized what was happening. You use storage sessions in cookies. See the documentation of Express session middleware. |
using the parameter secret is what produces that string at the end in my picture. it only prevents cookie tampering. it does not obfuscate nor encrypt the cookie data itself. I am using your configuration sample code in the image I provided. I am not sure what you mean by " You use storage sessions in cookies." Does express allow sessions to be stored and manipulated by req.session without cookies? |
http://expressjs-book.com/forums/topic/express-js-sessions-a-detailed-tutorial/ |
I would change your example code or at least make note of those modules. I say this because your module is one of the first results when looking for a node based captcha, but your example code does not provide captcha-like security. Many people won't realize this. |
Indeed, my example is incorrect, copied initialization code without looking. I need to fix. |
Can be done with a session in cookies. Need to use signed cookies and hashing CAPTCHA. Sorry for the very superficial consideration (very busy). I will add this feature. |
Code updated, secure problems fixed. |
The captcha answer is sent via cookie. What is the point of having a visual verification if the answer is in plain text? You should hash the answer so bots can't simply parse the it and send it back without ever looking at the captcha. Also in your demo use case you don't check for null==null, which would allow a bot to send a forged log in query.
The text was updated successfully, but these errors were encountered: