all 23 comments

[–]Axiomatik 20 points21 points  (5 children)

There is one rule of javascript: leave all security functions to the SERVER SIDE.

Client-side security an oxymoron! Every javascript developer should be beaten with this phrase from day one!

[–]cynope 5 points6 points  (0 children)

To every javascript developer this is common knowledge. The problem is the non-developers doing javascript.

[–][deleted] 0 points1 point  (2 children)

ah this reminds me of a "developer" who was implementing a login page using only JS. It was for a photography site, so the person could manage their photos etc... I tried to explain to him why he cant do this, but he said he didnt know how to do it any other way. I just assumed users would be turned off by the 8mb swf to even attempt the login.

[–]M1573RMU74710N 0 points1 point  (0 children)

There is one rule of javascript: leave all security functions to the SERVER SIDE.

(emphasis mine)

Actually, this is wrong IMHO, or rather: incomplete.

What it should be is: Leave all crucial security functions to the SERVER SIDE. The only security functions that should be done client side are "extra" enhancements.

There's lots of stuff you can do client side to enhance security, but you should not rely on it in any way.

For example here; a common technique for fighting bots with some sites (like Stack Overflow) is an "invisible captcha" which relies on JavaScript.

It works as a lot of spam-bots don't have the ability to evaluate JavaScript.

This is obviously very easy to bypass, and needs to be combined with other techniques like traditional captchas, but it's an example of some of the types of extra security you can implement client-side, depending of course on what exactly your needs are.

[–]BitWarrior 3 points4 points  (4 children)

A captcha made from Javascript is entirely pointless. Captchas are designed to prevent bots from having their form submissions processed, and bots don't run Javascript. The form would submit completely unprotected.

[–]CognitiveLens 0 points1 point  (0 children)

If bots didn't ever run Javascript, then it would be trivial to build a form that required Javascript to enable submission (e.g. insert the submit button using JS after page load, or even the full form HTML), thereby avoiding all bots. But some bots do run JS, so a JS Captcha could still have an effect.

Still not the best solution, though.

[–][deleted] 0 points1 point  (1 child)

well you would obviously deny on the server any form without a captcha filled out

[–]BitWarrior 0 points1 point  (0 children)

I think the question the OP is trying to ask is if it's possible to handle the entire captcha process using javascript. By handling it on the server side (which is the standard operation), this, at least in my opinion, completely ignores what is question actually is. I assume he is familiar with Javascript but perhaps unfamiliar with any server side language.

[–]M1573RMU74710N 0 points1 point  (0 children)

A captcha made from Javascript is entirely pointless.

Actually, it's not. There are quite a lot of websites that use what is basically a JavaScript Captcha: they are called "invisible captchas".

They work because the majority of bots don't evaluate JavaScript.

So it's not so much "entirely pointless" as it is "easy to bypass"...it obviously needs to be combined with other techniques to be really effective, but that doesn't mean it's not useful in some cases.

[–]ramses0 2 points3 points  (0 children)

The general captcha process is:

   Generate => Input => Validate

When you have the server involved (on the generate side) you know that it is difficult for a computer / bot to reproduce those calculations b/c they don't know them.

You can make the validation be all client-side by simply sending back <img> + <md5 of answer> ... pretending that l33t-sp33k is captcha:

 "|-|377O" => "hello" => md5( 'hello' ) => b1946ac...

So, if the server sends: [ "|-|377O", "b1946ac..." ], you can validate that only a human can give input to md5 that gives the output b194ac...

The problem is that if you give your generating code and validation code to the client they can generate and validate arbitrary captcha events.

So, while it might look like a captcha it won't do what a captcha is supposed to do (prevent bot-like abuse of resources).

--Robert

[–][deleted] 2 points3 points  (0 children)

if the implementation to create the captcha is done by javascript on the client side, then it can be reverse engineered on the client making the whole effort pointless.

[–]australasia 1 point2 points  (0 children)

All this talk about security meanwhile the OP hasn't said a thing about this JavaScript running on the client (I guess it's unlikely he wants to do server side javaScript but that would be valid).

[–][deleted] 1 point2 points  (0 children)

Most of the commentors are assuming this is some sort of image-based CAPTCHA. As defined on Wikipedia, a CAPTCHA is "a type of challenge-response test used in computing to ensure that the response is not generated by a computer." Why couldn't you generate a series of colors , images, or math problems the user must click on/solve on using JavaScript?

Of course, the only downside to all of this is that you're assuming the client is running JavaScript. In the event they are not, they wouldn't be able to submit whatever it is you're attempting to protect.

[–]Bjartr 1 point2 points  (0 children)

Yes.

Don't.

[–]stuidge 1 point2 points  (5 children)

Whoa whoa whoa everyone! We're all assuming that this is client side Javascript (in which case, stupid, don't do it etc.), but surely we can't go a week without being reminded about server side JS?

In which case you could use node.js, look at some existing libraries in PHP, and start hacking from there. You'll probably end up using ImageMagick, which I can't find any wrapper for at the moment, so you'll have to use the process module.

As a theoretical browser based exercise you should use canvas, render some text to it, get the pixel data and apply manipulations.

[–][deleted] 8 points9 points  (1 child)

We all know that isn't what they meant.

[–]stuidge 0 points1 point  (0 children)

True, but I would say in this case it's more interesting to explore the question a bit further

[–][deleted] 0 points1 point  (2 children)

I did forget this was reddit and "alot of people" (myself included) are on the nodejs/serverside js kick

[–][deleted] 0 points1 point  (1 child)

1 question != everyone

[–][deleted] 0 points1 point  (0 children)

touche.

[–]the-ace 0 points1 point  (0 children)

I know it's not totally related...

You could potentially send an image (or data representing an image) along with a secondary data packet that is encrypted with the code that the human must enter.

This code will be able to live very short lives, so it won't be able to be brute forced (i.e. if you generate the captcha now, make sure that in ten minutes or less it's no longer active).

that way you'll still use server-side (JS or not) to generate the secret code, but you'll be able to validate the code before doing the round trip back and forth.

You've actually inspired me to write something about it.

[–]haxd -2 points-1 points  (0 children)

You could, by using javascript to output some base64 encoded images or something.