An alert
Do not require validation on the server means to make the control in the user's browser.
This implies that any solution will be easily circumvented with minimal knowledge of Javascript. Another possible attack is to simply replicate the HTTP request without actually using a browser. Opera Summary: Without server validation any solution will be extremely vulnerable.
Solution that does not require server validation
To prevent just more naive attacks, one solution is to use an event on the page that enables form submission if it is identified that a real user is accessing the page.
The challenge is to identify the pattern of a real user. I imagine a user either will click the button or use the TAB key until getting there, right? Then we could only activate the submission if there is an event mouseover
or focus
on the button.
In addition, to prevent an automatic script from identifying action
and form fields I would use a solution with Ajax.
See the following example of two fields with a button:
Field 1: <input id="f1"/><br/>
Field 2: <input id="f2"/><br/>
<button type="button">Enviar</button>
And then a script that monitors events mouseover
and blur
, adding the click
event that will make Ajax only when one of the first two events is executed:
//monitora por focus e mouse over
$('button').bind('focus mouseover', function() {
$(this)
//eventos não são mais necessários
.off('mouseover focus')
//adiciona o evento que executará a requisição final
.click(function() {
console.log('implementar ajax aqui');
});
});
Anyway, I think it's possible to help this too for a conventional submit
if that's the case.
Solutions that require server validation
Here I will leave a recorded response that I had written using server validation.
There are several solutions not to use captcha, some more professional based on creativity.
Hidden field for "humans"
An OS response has given the idea of creating a hidden field on the form. A "robot" program that sends messages automatically will try to fill this field with some random information. Then your code will know that if the hidden field is filled someone has been messing around with what they should not.
Example:
<!-- este campo não deverá ser preenchido, mas provavelmente os bots tentarão fazê-lo -->
<input type="text" id="nao_humano" name="nome" />
<!-- este campo é o que realmente o usuário deve preencher -->
<input type="text" name="nome_real" />
<!-- o estilo inibe o campo que o usuário não deve preencher -->
<style>
#nao_humano { display: none }
</style>
Service with artificial "intelligence"
Some services do the spam work . For example, on my blog I use Akismet .
Akismet works something like this:
The user submits a comment on the form
A code on my site receives the message and sends it to the Akismet service
The Akismet service checks the comment against a Spam information base
Akismet returns whether the message is potential spam or not
Obviously, there is some concern about the security of this process. In a public blog there are no difficulties, but for a company that receives information from clients the traffic of information to a third party server can be an impediment.
Detecting Human Behavior
Another idea I saw some time ago is to detect events on the site to validate if someone is actually typing the message.
Doing this is relatively simple. First, generate a random code and put it in the user's session. Print this same code in a Javascript block inside the page:
var codigo = 'CODIGO_GERADO';
Then add a hidden and initially empty field in the form:
<input type="hidden" name="validacao"/>
Now create a code in some event such as mouse over or key up on the page that fills the field validacao
with value codigo
.
Finally, the server should validate that the validacao
field came with the code. To dodge some smarter spammers, the name of this field may also be random.
Conclusion
In my opinion, creativity is what rules this point. The more different and creative your solution, the more difficult the spammers will detect it.
Do not forget that any client validation can easily be fooled by any user who knows how to use the developer tool and has an intermediate knowledge of Javascript.