Wednesday, December 21st, 2005

Busting the Bots with Ajax

Category: Security

Wael Chatila has published the final of a three-part series exploring Ajax Security. The articles have covered:

  1. Using mouse gestures as passwords.
  2. Checking if keystrokes seem humanly.
  3. An Ajax CAPTCHA system. Each photo has several attributes, so “Animal, Costume, Boy” means a photo containing an Animal, Costume, and Boy. The list contains several descriptions like this and you drag the mouse around to each one.


The great thing about the series is that each article has a working demo.

Another Ajax security application is the WordPress plugin HashCash, which embeds a secret number on the page using obfuscated (in a random way!), encrypted, Javascript. A spammer can break it by running it with a JS engine, but it’s enough of a deterrent in many cases.

Every four hours, your blog picks a random large number (close to 32 bits). Whenever a visitor visits your permalink pages, an ajax call is made which retrieves some javascript. This javascript first decrypts itself, then executes itself again to retrieve the secret value, which it sets in the form. Then it enables the submit button. If a comment does not have this value, it is rejected. If a comment is rejected more than four times, the user is blocked for a specified period of time.

Posted by Michael Mahemoff at 4:57 pm

3.3 rating from 8 votes


Comments feed

I think you misunderstood the AJAX CAPTCHA. The method is confusing, however not for the reason you described. “Animal, Costume, Boy” were all attributes for one picture, not the whole sequence. The sequence is:


Each line lists attributes linked to one of the pictures. So, “Animal, Costume, Boy” referred explicitly to the picture of the boy in the animal costume. Followed by the picture of the blue smiling plastic animal, the giraffe, and…. I suppose the boy again? This is where I get confused. I tried the sequence on the demo a few times and never managed to get it right. Perhaps the restrictions are too tight. My laptop touchpad doesn’t allow me to act very human or be very accurate with my mouse movements.

Comment by Chris Rittelmeyer — December 21, 2005

Using the touchpad on you laptop is really hard. Sorry, the user friendlyness is not the best.

Comment by Wael Chatila — December 21, 2005

Chris, thanks for the explanation. It’s only a demo, but maybe it would be clearer if the labels said “A photo containing an animal, a costume, and a boy”. Updated the description anyway.

Comment by Michael Mahemoff — December 21, 2005

Thanks for the links, this is very interesting. Btw, your link for the second article is the same as for the first.

Comment by Haris Skiadas — December 21, 2005

By requiring input methods within certain parameters you exclude not only people with visual disabilities but those with motor impairments (or nonstandard input devices) as well.

What’s next, making the user run a marathon? :-)

Comment by Prentiss Riddle — December 22, 2005

Leave a comment

You must be logged in to post a comment.