Table of contents
- CAPTCHA in Flex – Main Class
- CAPTCHA in Flex – Running Example
- CAPTCHA in Flex – Using to Check the User
And now here is a running example. This shows how to generate a CAPTCHA setting about 4 parameters.
More parameters can be added to this example, like dots size, polygons transparency, font size but all that are features.
Enjoy!
PS: Sources are bellow.
|
Tags: ActionScript, captcha, flex, MXML, Security
This post was written by Andrei Ionescu
Views: 21324
Articles
I’ll grant you that it looks very pretty. However unless the captcha is generated server side and then sent to the flex as a graphic (png/jpeg) via AMF or some other method there is little to no point using this class.
I would also suggest that given the standard color of the text and the font used even if this were generated server side it would be very easy to segment.
This class can only provide the user with a false sense of security. If you want a captcha – generate it server side and make it hard to segment.
Phil, thank you for comment. The Flex/Flash Captcha is not the same as one used in HTML forms.
In HTML you need use it server-side because a script can automatically submit data to the form’s action URL (which is visible).
In case of Flex/Flash to be able to submit to a web service (web service that is not easily visible) you need either to use a script that graphically recognizes inputs in flash player either to know, from inside, the web service and how to use it (which can be secured easily).
This CAPTCHA is for graphically advanced scripts that can read screens, can recognize inputs and automatically submit data into it.
And YES for some people the security is increased if they see a CAPTCHA. Even though using Flex/Flash client-side to interact with the server-side do not require such thing being itself secure enough.
Couldn’t the spammer easily use fiddler to find the service that Flex is submitting to. Without *some* level of server side validation you could be pretty open.
(I like it script but I’m not sure if it solves the issue. If you’re submitting to a webservice then won’t that service be discoverable by a determined spammer [and these days aren't they all determined]?)
Jason, I agree with what you said. This class is only for the client-side, only visual part. But a true CAPTCHA is integrated with the server-side which is not the point of these articles.
You can take this generator and use it to secure what you need by linking it with your submission process.
Regarding the Fiddler issue… you can use Fiddler or any other spying tool on any kind of connection to catch data. You need to encrypt the Captcha code with a sort of algorithm so even somebody uses Fiddler and gets data it will not be able to decrypt it.
I would extend the Captcha class to call a service and get the captcha code from the server and the display it not generating it on the client.
Other approach is to use https connection on you project so you won’t need CAPTCHA. But some people even so the connection is secured need to see that CAPTCHA to feel safe even though they are already safe without it. And by the way flash is better that html because there are not many robots to make automatic submissions.
These articles are only to show how you could implement this graphically.
Hope this clears out the mist.
Hello,
you can actually generate server side captcha. Just take the code in the function that generates captcha text and put it in php file. Save the generated captcha from php file in a database. The flex can get the captcha text through httpservice. By this way you can do captcha validation server side.
Thanks,
Bharani
“In case of Flex/Flash to be able to submit to a web service (web service that is not easily visible) you need either to use a script that graphically recognizes inputs in flash player either to know, from inside, the web service and how to use it (which can be secured easily).”
This is just relying on security through obscurity which is a horrible idea.
Hello PHP Guy, and thanks for comment. There is nothing about obscurity. It is about not knowing the insides of the application which should not be let known. In security field the first premise for a good security is not to let important internal things obvious to bad intended persons. Banks do that, companies keep secrets and there are other examples.
As you can read in a comment above…
So if you are concerned about securing your flex application with a CAPTCHA you could use this graphical approach and build your own server side. But for a good security you should use https protocol, and I’m sure you already know that, and I’m sure you know other ways to secure your application.
Thanks a lot for the code you’ve provide..Keep up the nice work…
You keep using the word “security” in the replies you’ve made. But I’m not sure if you’re using it in the right context. Let’s make something perfectly clear here: A captcha provides no security for the end user. HTTPS is a protocol that protects against eavesdropping and man-in-the-middle attacks. Captchas are for companies that want to reduce spam. These are two completely different things.
People who create or use bots that literally fill out forms and submit them are amateurs. Real power lies in hijacking the actual http requests, which is not a difficult thing to do. This is what PHP Guy meant about “hiding behind obscurity.” HTTP Requests are not hidden from tech savvy users. Not in the same way that a Bank vault’s software is hidden. On the contrary, HTTP Requests are easily accessed by simple plugins available for major web browsers. Any HTML developer is going to have a copy of that software for debugging purposes.
I know that you’re just illustrating how a captcha could be generated in flex. But the fact is simple: There is no protection against spam with a locally-generated turing test. Sure, it’s a deterrent: a hacker might see the captcha and THINK that it’s server-generated, but if they ever found out that it wasn’t, then you’d be in trouble.
Don’t you remember what happened to Twitter?
http://www.mediaite.com/online/twitter-password-breach-next-time-use-the-name-of-your-first-pet/
The moment you think nobody will find out, someone does and it’s all downhill from there.
Hello James. I agree with what you said. And more… Making automate submit “engines” on flash animation is quite hard and expensive to create. From this point of view flash it is by itself a bit more “secure” related to spam. It is harder to auto-submit a form made with using Flash than made using HTML. And if we add HTTPS things get even better. The article is not about securing your application but about how to make the form in a way that the spammers get reluctant to try spam through that form. Thanks for pointing this out.
Andrei, I can setup an HTTP + HTTPS proxy that sits between the Flash app running in my browser and your server, which receives the request from the app. I can watch exactly what is transmitted over the wire from Flash to your server. I can then write a bot in Perl, completely bypassing Flash to submit information to your server as much as I want.
Your notion of Flash being more secure is true for the trivial script kiddies… but is of absolutely no protection for someone who really wants to take advantage of your service.
Hello Nick!
First of all…
Second… please read James Watkins comment a bit above and my answer to it if you didn’t already read it. Third… I understand that you are an exceptional programmer and I agree that it is not totally secure and/or spam free but I would be grateful to you if you could come with ideas to make it better considering your expertise. Thanks for comment.