ChronoEngine community,
I'm using several ChronoForms on my Joomla website, they are all using the default Captcha {imageverification}.
Now a spambot managed to "bypass" this captcha on my website and all of the mandatory datafields in the chronoform.
Has anyone had this before? And how did you solve it?
I guess the logical thing to do is to add server-side verification but isn't the captcha already server-side verification?
Please give me some advice on how I can add additional security to my chronoforms to prevent this in the future.
P.S. I'm not a big fan of using blacklists.
Kind Regards,
Jnijman
I'm using several ChronoForms on my Joomla website, they are all using the default Captcha {imageverification}.
Now a spambot managed to "bypass" this captcha on my website and all of the mandatory datafields in the chronoform.
Has anyone had this before? And how did you solve it?
I guess the logical thing to do is to add server-side verification but isn't the captcha already server-side verification?
Please give me some advice on how I can add additional security to my chronoforms to prevent this in the future.
P.S. I'm not a big fan of using blacklists.
Kind Regards,
Jnijman
Hi Jnijman,
Fredrik knows more about this than I do :-( It's certainly possible to post to the form url and bypass all the JavaScript validation. Not st sure about the imageverification - I would have expected that to block them.
Easy enough to add one step of serverside validation if this becomes a problem.
Bob
Fredrik knows more about this than I do :-( It's certainly possible to post to the form url and bypass all the JavaScript validation. Not st sure about the imageverification - I would have expected that to block them.
Easy enough to add one step of serverside validation if this becomes a problem.
Bob
Hi Jnijman,
Regarding the Captcha/Image Verification:
This check is done serverside. However, there are services out there these days, that either provide the manual labor of decoding the images, or uses sophisticated OCR-softwares to decode captchas. Either way, the end result is that most "Captcha-only" tests can be circumvented if you got the funds for it.
That, however, does not mean captchas are useless. They're still a good mean to stop a large amount of robots out there, and also deters spammers from the site unless they see a good opportunity for profits..
The ReCaptcha plugin:
ReCaptcha can be somewhat difficult to get working at first, but might be a good next step if you see spammers getting past the simple captcha. The main reason for this, is that recaptcha is a centralized service that does additional checks - such that if a certain IP passes too many captchas in a limited time, and other tests.
Required Fields:
These tests are done using client-side javascripts unless you've manually added some checks within the serverside-validation code. I belive you'll find a few good examples on the forum by searching on 'serverside validation'.
/Fredrik
Regarding the Captcha/Image Verification:
This check is done serverside. However, there are services out there these days, that either provide the manual labor of decoding the images, or uses sophisticated OCR-softwares to decode captchas. Either way, the end result is that most "Captcha-only" tests can be circumvented if you got the funds for it.
That, however, does not mean captchas are useless. They're still a good mean to stop a large amount of robots out there, and also deters spammers from the site unless they see a good opportunity for profits..
The ReCaptcha plugin:
ReCaptcha can be somewhat difficult to get working at first, but might be a good next step if you see spammers getting past the simple captcha. The main reason for this, is that recaptcha is a centralized service that does additional checks - such that if a certain IP passes too many captchas in a limited time, and other tests.
Required Fields:
These tests are done using client-side javascripts unless you've manually added some checks within the serverside-validation code. I belive you'll find a few good examples on the forum by searching on 'serverside validation'.
/Fredrik
This topic is locked and no more replies can be posted.
