The Bot Wars – the defeat of CAPTCHA and the rise of a new hero to secure your forms – part two
In Part One we looked at the ongoing battle between the Dark lords and their bot armies and the Webmasters. The poor Webmasters tried many times to secure their forms from the bot armies, but each time a hero rose to champion the purity of their data, they were eventually defeated.
But now we have a new champion, one that is different. Let’s examine this hero and see what makes him tick.
But first –
Know your enemy
I don’t have a bot army to play with, so I sat down and tried to think my way through how a bot works, what its strengths are, why it was being used, and then I looked at what makes a bot different from humans. By understanding the differences maybe I could gain some insight into how to defend against the bots.
The Bots
So we can define some characteristics of bots just from our understanding code in general
- Bots see the code of the form, not the displayed form itself
- Bots are fast, really fast. That is a key strength for the bot armies. They can fill in and submit a form in under a second, and then do it again, and again.
- Bots fill in everything they can, just in case a field is required for processing
The Humans
We do know a bit about how humans interact with forms, so we can make some pretty good assumptions here.
- Humans see the displayed form and not the underlying code (unless something is broken. Whoops!!)
- Humans are slower to fill in forms. They need to type stuff in and interact with form controls, read text etc. They will typically take longer than a second to fill in the form.
- Humans are lazy by nature. They will typically only fill in the fields that they have to in order to submit the form.
So now that we know some of the differences, we can start to develop a strategy that works for humans, but doesn’t work for bots.
The three key differences above are all ones we can exploit to craft a nice little trap for a bot.
Knowing what we know, we can –
Put something at the code level that the bot will see and interact with, but the human won’t. When this component receives an action it can then disable the form, thus preventing it from being submitted.
Delay the ability for the form to be submitted. i.e. prevent form submit actions for 10 seconds. The bot will fill out the form, and fire off submit requests to various known submit triggers. If these are sent before the timeout has expired, the form will not submit. A human will take longer than 10 seconds to fill I the form, so by the time they click the submit button, the form is live and will work.
Put some ‘goat fields’ in the form. These are fields that look juicy to a bot – something called ‘email address’ would do. So they will fill them in. But if you hide these fields from the user, using CSS or Javascript the humans won’t fill them out. Then when the form is submitted, if that goat field has been filled in, we know it was done by a bot and we can reject the form submission.
But wait, there’s more!
We can really mess with the bot’s head. In the action property of the form tag – this is where you want to send the form for processing when the user submits it, you can set the URL to /404.html.
That’s right. The default place to send the form is to your 404 Page Not Found handler. Using our time delay mechanism, after 10 seconds or so, we can change the URL to send the form where we really want it to go.
Remember the bot will hit the form hard and fast and submit it. The submission will go to the 404 page and have no further processing done.
If the Botmaster is looking through any logs that might be generated from the bots filling out the forms, what they will see is that the forms are being sent to the 404 handler. The assumption then would be – the form / site is broken! No need to keep on trying to submit any forms on this site because the form handler is missing!
For the human user who takes more than 10 seconds to fill in the form, it works perfectly.
The recipe for success
We can combine all of these tactics into a single form to give multiple traps for the bots to fall into, while still leaving the humans to go about their daily tasks of overrunning the Internet with photos of their cats.
In the HTML of the page –
- In the form tag set the action to action=”/404.thml”
- Add a goat field e.g. <input type="text" value="" name="email-address" id="email-address" placeholder="for bots only"> and then hide it from the humans using CSS
In the Javascript – - Trap the form submit event and prevent it from continuing by default. Only allow the form to submit if no bots are detected.
- Add a change listener to the goat field and when the event is triggered, you can disable or completely remove the form altogether!
- Add a timeout to swap out the URL for the 404 handler and in the real form handler URL
In your form handler – - Check to see if the goat field has been submitted and if it has any data in it. If it does, reject the form submission. This is a ‘belts and braces’ approach, just in case they get through the first line of defence.
The beauty of trapping the bots at the front end over just doing this on the server side, is that the server won’t have to process any bot form submissions. It will only ever have to serve up a 404 page, assuming they get past the disabling of the form submission trap.
I want this! So where’s the code?
That’s the beauty of this approach, there is no code! Each developer can follow the simple steps above and implement the solution in their own fashion. In that way each form can have a unique defence. The goat fields can be different, they can be hidden using different techniques. The Javascript can also be different.
But there is nothing stopping a developer from making their own form plugin so what they have written can be reused.
That’s what I have done. And for each instance I use it for, I tweak it slightly in such a way that if you figured out how it works on one form, then next form will work a bit differently. It will have a different goat field, or number of goat fields. The goat fields will be hidden using different techniques. The timeout delay will be different. The variable names in the code can be different. It’s really simple to take the pattern and alter it slightly so a piece of code i.e. a bot will trip up on its own if statement and fall flat on its face. (very funny to watch)
In this way the bot army’s ability to interrogate code and find a weakness is rendered pointless. The amount of time and effort expended to figure out how to exploit one form, only to find that once they get one attack through, the Webmaster simply changes the algorithm, is not worth it. They might as well attack a site that has CAPTCHA, or no security. Your secured forms are not worth their effort.
In conclusion
I hope that someone finds this helpful and useful. I have used this technique to really good effect, and on the forms I’ve deployed this to, I have had zero bot submissions for over a year.
I think the main strength of this approach is the many and varied ways it will be implemented by Webmasters adding their own flair and insight to the mix.
But if you are really struggling to understand how this might work, let me know and I’ll look at putting up another post with my code in it for you to copy and paste. Just make sure that once you get it working, you fiddle with it a bit so it is different from everyone else’s code.
Check out my stories here on Steemit
Running Deer
Running Deer - part 1
Running Deer - How legends are born
Charlie Rabbit
Meet Charlie Rabbit
Charlie tides up
Charlie Rabbit and Margery Mouse
Charlie Rabbit and Margery Mouse make music
Little Peppers Adventures
Runaway Rabbit and the hungry fox
Maybe and the land of purple rainbows – A Little Peppers adventure
How Pappa Pepper and Monster Truck the Pepper got their wild hogs - a Little Peppers Adeventure
Dark Angel Regiment of the Space Marines - Mission Files
First Squad Sniper Elite - Zaresith mission
Other stories
Also don't forget to check out my Dad's blog
Who else can tell you stories about impersonating an officer, stealing a military aircraft to go on a booze run, or steal military aircraft and go on an unsanctioned bombing run - and that's all before he turned 18!
Check out @len.george and find out what other madness he got up to!
Are you new to Steemit and trying to figure out what it's all about?
Head over to: https://www.steemithelp.net/. It's the best place to get a handle on what the platform is all about.
Ahaha! You had me there! I thought part two was the continuation of the epic story!! Great reveal that the hero was the goat field haha
As an AI-guy and a budding Security Researcher, I approve this two-part tale ;) Wonderfully crafted Part 1 by the way. You had me at the edge of my seat!
Thanks I'm glad you enjoyed it.
A bit more interesting that the usual boring technical article huh?
It sure was! As you may have noticed, I much more prefer articles like this ;) It puts an entertaining spin to the usual information dissemination. Really makes it much less intimidating to take in, too. You really have a knack for storytelling there!
Thanks very much. I really appreciate that :-)