{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 一纸荒年 Trace。 的问题《Anti-Captcha Using Mouse detection》','https://www.manongdao.com/q-890467.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I want to know if it is possible to create a secure human detection mechanism (not using captcha) for a form with just javascript to detect mouse movement since jquery nor operating system code can move the mouse (so Im told).
Here is my plan:
- With jQuery I can detect if the mouse has moved, and then allow a form to submit if it has.
- I already have cross site scripting enabled so no one can submit directly to the site outside of the webpage, and Im requiring javascript to sumbit the form.
- The mouse movement will add a value to the a mouse field in the form and the value is what will determine on the server side that it was submitted by a human.
- The mouse field will use some form of algorithm that the mouse movement will seed, then decode it on the server side so a bot can just enter any value into the mouse field.
So Im wondering if there are still holes in this approach or ways for a bot to still bypass it.
No it is not possible to create a secure mechanism that detects a human by relying on mouse movements. Check out the java.awt.Robot class for just one example of how to hack it using software only. I used this class to write an Easter egg into a program that jacks with the mouse and makes it dance some crazy patterns. The user's loved it ;-) You could also hack it with the USB Rubber Ducky.
Your method relies on something that would be trivial for a bot to do, unless you use mouse movements in some way I've not thought of.
No matter what you are doing with the mouse, at the end of the day, all you are doing is making a value in a form.
I'm not 100% sure how you plan to implement this, but if you are just tracking exact mouse location (which I'm not sure HTML will even let you do, but I could be wrong). A bot would be able to emulate that, either by setting the field to the location where you expect the mouse to be, or by moving a "virtual" mouse by adding the change in x and y to some value.
(This is all assuming that the bot would be able to understand your instructions of course. I'd assume that by writing, in plain text HTML, "Please enter the value '290' in the box below" most bots except one that was written especially for your site will be able to register...)