复选框验证码 [英] Checkbox Captcha
问题描述
我开始了我的第一个创业。我不能忍受试图在注册网站时阅读captchas,不想让我的用户。我寻找替代品,我发现复选框captcha 。如何做到这一点,使用JavaScript加载一个复选框,并用与通常用于注册表单相同的代码验证它。
谢谢。 p>
我看了从你发布的文章链接的例子。乍一看,这似乎很容易被绕过。
复选框captcha的工作原理是垃圾邮件机器人不解析或使用嵌入在网页中的JavaScript代码。因为这样,他们不会在它正在搜索的表单中找到captcha checkbox元素,因此不会为表单发送复选框的post值,而在服务器端,如果复选框值
- 机器人可以轻松地训练检测您的网页上的此javascript,
- 即使您输出的复选框必须使用随机名称和值,仍然可以检测到
名称总是相同的(
gasp_checkbox ) 这3个问题的结果意味着这比图像验证码或其他方法更容易打破。所有的机器人在他们提交您的表单时,必须添加: gasp_checkbox = on 到他们的HTTP请求。
也就是说,如果你在自己的网站上为自己实现这一点,任何机器人都不可能超过它,因为它的使用不广泛。
通过执行以下操作使其更安全:
- 为服务器端的复选框生成唯一的名称/值对,
- 将脚本放在您的表单之外,最好放在脚本生成的外部JavaScript文件中。
- 验证
如果你这样做,我认为你可以有一个有效的复选框验证码。如果有人在您的网站上抓住了它,即使有上述保护措施,它可能仍然是微不足道的,但它可能需要一段时间,并且在大多数时候仍然有效。
I'm initiating my first start-up. I can't stand attempting to read captchas when signing up for websites, don't want my users to. I looked for alternatives, and I found the checkbox captcha. How is this done, using JavaScript to load a checkbox, and validate it with the same code as would normally be used to make a sign up form?
Thanks.
I looked at the example linked from the article you posted. At first glance, it seems like this can be easily bypassed.
The checkbox captcha works on the basis that spam-bots don't parse or use JavaScript code embedded in webpages. Because of this, they will not find the captcha checkbox element within the form it is searching, and therefore will not send a post value for the checkbox along with the form, and on the server side, you would reject the form if the checkbox value wasn't sent.
The problem with this is:
- The checkbox name is always the same (
gasp_checkbox) - A bot could easily be "trained" to detect this javascript on your page and act accordingly
- Even if you output a random name and value that must be used for the checkbox, it could still be detected
The outcome of those 3 problems means that this is much easier to break than image captchas or other methods. All a bot has to do when they submit your form is add: gasp_checkbox=on to their HTTP request.
That said, if you implement this for yourself on your own site, it is unlikely that any bots will able to get past it because its use is not widespread.
You could make it more secure by doing the following:
- Generate unique name/value pairs for the checkbox on the server side, and output those values in obfuscated javascript to the client
- Serve the script away from your form, preferably in an external javascript file that is generated by a script.
- Verify that the values sent for the checkbox match a pair that was previously generated, and not used before.
If you do those things, I think you could have an effective checkbox captcha. If someone does catch on to it on your site, it may still be trivial to defeat, even with the above safeguards in place, but it may take a while, and still be effective for you most of the time.
这篇关于复选框验证码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
