Open atas opened 11 years ago
laedit
commented
10 years ago Hi,
I am only a user of PoliteCaptcha but I'm interested by your suggestions. Could you propose a pull request here? I think it's the best way to see your improvements integrated.
Thanks.
atas
commented
10 years ago Hey Jeremie,
I'd love to but unfortunately I don't have time to do it on my own and I'd prefer to collaborate with the owners of the repository.
And I didn't get any reply from them.
Actually at this stage even if I get a positive reply my time frame got much more restricted over the last months.
Ata On 21 Mar 2014 11:59, "Jérémie Bertrand" notifications@github.com wrote:
Hi,
I am only a user of PoliteCaptcha but I'm interested by your suggestions. Could you propose a pull request here? I think it's the best way to see your improvements integrated.
Thanks.
— Reply to this email directly or view it on GitHubhttps://github.com/NuGet/PoliteCaptcha/issues/9#issuecomment-38261941 .
analogrelay
commented
10 years ago This seems interesting, but it also seems like the AntiForgeryToken helper built in to MVC could also be used to achieve your scenario.
The goal of PoliteCaptcha is to work without the need for a tracking mechanism such as Session (which is problematic in cloud scenarios) or Cookies. If you need something more complicated, the AntiForgery mechanism is probably a better approach. PoliteCaptcha is also not designed to be a 100% fool-proof spam mechanism, but more of a deterrent that isn't as annoying as a CAPTCHA. Currently, we have not encountered any issues using it in our relatively high-traffic sites.
Sorry for the delayed response. This is basically a side-project that we published because we used it in our site and found it useful, so it does have a tendency to fall idle. We'd definitely be interested in receiving Pull Requests if you'd like to contribute.
Hi there,
This is a nice plugin here, I was planning to do one for myself and open-source it later, but it seems there's no need while PoliteCaptcha is here. I've implemented and pushed a quick hack for a problem which many spam prevention libraries have.
The fact: There are tools out there to brute-force forms especially if you want to harm "a specific website". You can assign values into forms, assign random values, use a text-list etc.
The problem: PoliteCaptcha only prevents bots randomly brute-forcing forms on the internet. If an attacker comes to your website and attacks specifically your form, PoliteCaptcha is very easy to crack by just putting a string, and its reverse.
The solution: Save the randomly generated guid into the session, validate it also from the session and (!) don't forget to reset the guid in the session after a successful validation, otherwise the method I describe at the bottom of this post can break it.
Now with this solution, the attacker has to request the first page first, parse the form and generate the form values. This is harder.
The solution is here: https://github.com/AtaS/PoliteCaptcha/commit/2b0293ff4118259d1834b650a8d6c80c53d52328 and if you like that I can tidy up the codes a little bit, make it optional with a parameter and we can merge it.
Step 2 - Better prevention: Output a guid into the form named "RequestKey" and make the form request the NoCaptchaChallengeField by ajax with the RequestKey from the server on 10 seconds after user generates the form. This way, the server can actually prevent giving Guid before 10 seconds, and each attacker IP address can only brute-force within 10 second intervals most frequently. I'm not even saying that this requires a very advanced or specially-coded brute force tool which should also work on a distributed network across servers because attacking every 10 seconds from a single IP address will not do a real harm.
Now I intend to implement the Step 2 also as an option to users, but first I want your opinions. If you are not open to merge them, I may go and implement may own from the scratch.
_**A method to crack many prevention libraries_: use the form manually for the first time, get posted values and put it into the brute-force tool. Change email randomly everytime, send other information always unchanged like NoCaptchaChallengeField (which you can generate any random numbers) or session cookie (if needed).