Forums

ChronoForms v8 is now WordPress ready, ChronoMails is out

The JED needs volunteers!

Captcha got bypassed, what to do?

Jn
Jnijman 10 Aug, 2010
ChronoEngine community,

I'm using several ChronoForms on my Joomla website, they are all using the default Captcha {imageverification}.
Now a spambot managed to "bypass" this captcha on my website and all of the mandatory datafields in the chronoform.

Has anyone had this before? And how did you solve it?

I guess the logical thing to do is to add server-side verification but isn't the captcha already server-side verification?

Please give me some advice on how I can add additional security to my chronoforms to prevent this in the future.

P.S. I'm not a big fan of using blacklists.

Kind Regards,
Jnijman
Gr
GreyHead 10 Aug, 2010
Hi Jnijman,

Fredrik knows more about this than I do :-( It's certainly possible to post to the form url and bypass all the JavaScript validation. Not st sure about the imageverification - I would have expected that to block them.

Easy enough to add one step of serverside validation if this becomes a problem.

Bob
nm
nml375 10 Aug, 2010
Hi Jnijman,
Regarding the Captcha/Image Verification:
This check is done serverside. However, there are services out there these days, that either provide the manual labor of decoding the images, or uses sophisticated OCR-softwares to decode captchas. Either way, the end result is that most "Captcha-only" tests can be circumvented if you got the funds for it.
That, however, does not mean captchas are useless. They're still a good mean to stop a large amount of robots out there, and also deters spammers from the site unless they see a good opportunity for profits..

The ReCaptcha plugin:
ReCaptcha can be somewhat difficult to get working at first, but might be a good next step if you see spammers getting past the simple captcha. The main reason for this, is that recaptcha is a centralized service that does additional checks - such that if a certain IP passes too many captchas in a limited time, and other tests.

Required Fields:
These tests are done using client-side javascripts unless you've manually added some checks within the serverside-validation code. I belive you'll find a few good examples on the forum by searching on 'serverside validation'.

/Fredrik
Jn
Jnijman 12 Aug, 2010
Bob and Fredrik,

Thank you😀 for taking the time to reply to my question, the information you provided helped me out I will be implementing additional server side checks and will look into recaptcha.

Regards,
Jnijman
This topic is locked and no more replies can be posted.