asp.net - Can I read Captcha data from JavaScript in a secure way? - Stack Overflow

admin管理员组

文章数量:1310532

We use Captcha control in a registration form that we make full client validation for all fields in JavaScript ( JQuery ) beside server validation ..
I tried a lot of ways but all will write the Captcha value in JavaScript that can be accessed by anyone :(
I search if is there any way that allow me validate Captcha value in client side using JQuery in secure way or it can't be done ?

We use Captcha control in a registration form that we make full client validation for all fields in JavaScript ( JQuery ) beside server validation ..
I tried a lot of ways but all will write the Captcha value in JavaScript that can be accessed by anyone :(
I search if is there any way that allow me validate Captcha value in client side using JQuery in secure way or it can't be done ?

• asp
• javascript
• jquery
• captcha

Share Improve this question Follow asked Jun 6, 2010 at 6:58 Amr BadawyAmr Badawy 7,6931212 gold badges5252 silver badges8686 bronze badges

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 8

It cannot be done.

Javascript is client-side, as you know, and any code client-side has to be treated as potentially promised as you don't have control over it.

At best, you could resort to sending up a salted hash of the value along with the salt, but even that in itself could be used to test guess values before actually submitting it.

Everything else relies on calls to the server.

---

As per ment request, here's the general idea:

Firstly, on the server, calculate a random string to be used as the salt. This should be roughly unique every request. The purpose of this string is to prevent rainbow table attacks.

Now, saving this string separately, but also create another string that is the concatenation of random string and the Captcha answer. Of this new bined string you generate the hash (for example, SHA-1) of it.

using System.Web.Security;
...
string hashVal = FormsAuthentication.HashPasswordForStoringInConfigFile(bined, "SHA1");

Both the random string and the hash value need to be placed in the page for the javascript to be able to read.

On the client side, when a user answers the Captcha, take the random string and concatenate it with the answer (getting the idea here?). Taking this string, you can use something like the SHA-1 JQuery plugin to hash it and pare it with the pre-puted hash you sent up.

hashVal = $.sha1(binedString)

If it matches, it is (almost) certainly the correct answer. If it doesn't, then it is 100% the wrong answer.

you could use ajax to post the current value to the server, which would respond true or false. that would keep you from doing a real post and also from giving away the catpcha's value in html.

My solution )) Every time when page shows captcha to the user, you can dynamically generate obfuscated JavaScript functions(i think the best way 5 or 10). For example, one function(or 3)) ) can set cookies with pregenerated hash(server returns it)(from real value of the captcha), other functions must realize server side algorithm to check value which user's typed. I can say that it works for 100%, because it is very hard to parse dynamically javascript + we set user cookies on client side(It is very hard for Bots's to find out where and how you set and check cookies), by using JavaScript.

本文标签： aspnetCan I read Captcha data from JavaScript in a secure wayStack Overflow