Just a feature idea: automatic captcha solving with javascript

Events happening in the community are now at Drupal community events on www.drupal.org.
soxofaan's picture
Posted by soxofaan on June 29, 2007 at 2:43pm

I was thinking about this idea to make captcha easier for normal (non spam) users.
What if the captcha module would also offer an option to to hide the captcha with client side javascript and solve the captcha with client side javascript? That way the captcha would be invisible (but still correctly solved on submission) for users with javascript enabled. It degrades gracefully for users without javascript enabled to the standard captcha. I guess it's possible to do it for the default math captcha. For the image based captcha's it is of course near impossible.

The basic premise to make this work is, of course, that spambots do not have a javascript interpreter. Otherwise it is just silly. I don't have an idea how advanced the spam bots are these days.

any thoughts on this?

Categories: , ,

Comments

Spam

Posted by robloach on June 29, 2007 at 3:54pm
robloach's picture

That's actually exactly what the spam bots do. Instead of using javascript, however, they'd just use simple HTTP and POST requests. With the Math Captcha, all they have to do is run an eval on the math to solve the problem, and that's why there are alternative solutions like the image and audio captchas. The even more elaborate reCAPTCHA solution uses an external web service to validate human interaction using both visual and audio methods.

That's actually exactly what

Posted by soxofaan on June 29, 2007 at 5:31pm
soxofaan's picture

That's actually exactly what the spam bots do. Instead of using javascript, however, they'd just use simple HTTP and POST requests.

I know. I made my own spambot to test the captcha module ;)

all they have to do is run an eval on the math to solve the problem

Well, I guess you can come up with captcha challenges that are solvable with Javascript but not with the eval you are talking about. E.g: what is the third letter of the second last word of "lorem ipsum dolor sit amet". Or which word does alphabetically not fit in the sequence "apple banana tree drupal"?
The point is to find something that is easy enough to solve in javascript but too hard or too resource consuming for spam bots to be worth it.

that's why there are alternative solutions like the image and audio captchas

Those are indeed interesting for the high profile case, but some people (like me) just run some low profile website and don't want to run such resource hungry captcha's.

I'd like to see a captcha

Posted by Dave Cohen on February 23, 2008 at 10:59pm
Dave Cohen's picture

I'd like to see a captcha test that uses javascript to monitor typing speed, mouse movement and focus changes on the form page. If by those measures the user appears "human", then the captcha test is passed.

To implement this, the javascript would probably have to use AJAX or AHAH to communicate with the server while the user is on the form page. If that communication is deemed authentic by the server, then the form would pass validation without any additional captcha values passed in.

As I type this comment, the Comment Preview updates automatically. If there were a captcha element to this form, it could be made to disappear once I've typed some text here.

JavaScript Disabled

Posted by robloach on February 28, 2008 at 7:11pm
robloach's picture

To aggregate to browsers without JavaScript, you could implement a server-side system that would time how long the form took to fill in.

CAPTCHA

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: