Search code examples
javascriptformssecuritybotscaptcha

When is a bot protection necessary in UI interactions?

The question is quite broad but I'll narrow it with my use case.

I don't use forms in my sites, just ajax calls to php services. Basically I use stylized spans with "click" events associated, which proceed to an ajax request posting everything to the server.

  • No <form> element,
  • No <input type="submit"> element.
  • If javascript is disabled, well... nothing works (whether or not it is a good thing is not the purpose of this post)

But I still want to be sure no smart$ss bot generates junk with my "forms".

So my question is: do I need a captcha or similar bot protection in this context?

Here is the solution I chose to implement, according to the given answer:

html:

<form id="honeypotform" action="http://whatever.com">
    <input type="text" id="formbody">
    <input type="submit" id="submitbtn" value="Submit">
</form>

css: 

#honeypotform { display: none; }

The real submission link:

<span onclick="do();">Submit</span>

The link action:

function do() {

    if (formbody.value != "") return true; 
    /* ... */
}

I'll follow up with this post to give feedback of my results after a few days.

Solution

  • What exactly Bot do: They actually detect all the input elements inside your form and run a script tht fill up the inputs with some valid text and thus filling up the database with false junk entries.

    How to tackle this:Its pretty simple and every form validation must follow this pattern. You can always place a hidden input field inside your form and assign it an empty value.

    When you validate on the server side,just make sure you get this entry as empty.If it is EMPTY proceed with your insert queries otherwise consider its a BOT attack thats filling up junk entries.

    Interesting read:When the bots attack!

    Its not a bad idea to enclose your inputs in a form tag without using submit button.(I recommend this)

    Just in case if you think about disabling javascript ,your ajax would not work.

    It is always a good idea to have a server side validation as PLAN B for a paranoid developer.Quality Work!!!

    An example:What you have given is still vulnerable.

    <form>
<input type="text" id="name">
<input type="text" id="contact_no">
<input type="text" id="password">
<input type="hidden" id="email">//just seduce the BOT(considering that the bot reads the id or any other attribute to fill up values.Make sure on the server side $("#email").val is always zero..be it on client or server)
<input type="text" id="original_mle">//store this in db after server side validation
</form>

    @AndreasBjørn:yes..thats a loophole..I am afraid I would fail if there is a bot specifically designed for my form providing malicious data entries.CAPTCHA seems to be the only solution in this case.