zendesk / kamcaptcha Goto Github PK

A captcha plugin for Rails

License: Apache License 2.0

Ruby 89.06% Perl 10.94%

testing

kamcaptcha's Introduction

Kamcaptcha

A captcha system that uses less ridiculous images than ReCAPTCHA. Kamcaptcha has two somewhat independent parts to it, a generator for building the word images to present, and then a runtime configuration for checking validity of what gets submitted.

Generating images

This is something you do locally, probably just once. You need to generate a series of images for your application to serve, using the kamcaptcha command line tool. The tool depends on RMagick being installed, so:

gem install rmagick
kamcaptcha --help

And then generate the images with your preferences. If you specify a salt, make sure to use that same salt when you configure your application runtime. If you do not specify a salt, kamcaptcha will generate you an appropriate one to use, it looks like this:

$ kamcaptcha  --count 3 /tmp
Generating 3 words into /tmp

  1 /tmp/d519172b9cdfb2de5a5b30cf60836defc9b393f0e38a680937fcd5179467b191.png
  2 /tmp/a235210981703ca66e6d44450c39d42f40ad482bf165401a485b0d3e6c98e3e8.png
  3 /tmp/4ae2941beeea48773243cbf1366520c32dcc7b6375630c0e65bdf313df164ddc.png

Remember to set Kamcaptcha.salt = '58be24c9f6d0293ce2c9316fca1a6ec65d04c9156482b5ae51a267e022ba5a5c' in your application

Runtime configuration

Presumably, Kamcaptcha will be used primarily with Rails, so the following instructions are Rails centric although there's nothing Rails specific about Kamcaptcha.

You need to configure Kamcaptcha in e.g. an initializer:

Kamcaptcha.salt = '58be24c9f6d0293ce2c9316fca1a6ec65d04c9156482b5ae51a267e022ba5a5c'
Kamcaptcha.path = File.join(Rails.root, "app", "assets", "images", "kampcaptcha")

# Optionally make use of the included form helper and and validations
ActionController::Base.send(:helper, Kamcaptcha::Helper)
ActionController::Base.send(:include, Kamcaptcha::Validation)

You can now use Kamcaptcha in your views:

<%= kamcaptcha :label => "Please type in the letters below" %>

And in your controllers:

return head(:bad_request) unless kamcaptcha_validates?

You can write your own helper and controller logic easily, take a look at the source.

Copyright and license

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

kamcaptcha's People

Contributors

Stargazers

Watchers

Forkers

jej coralineada bfcapell masone cameel matenia taweili winterwhisper ibazylchuk isabella232

kamcaptcha's Issues

Rails 2.3.3 issues

I get a undefined captcha_block when I use it after installation. I had to specify the helper in the plugin init.rb as below to address this.


$:.unshift "#{File.dirname(**FILE**)}/lib"

require 'captcha_util'
require 'captcha_helper'
require 'validates_captcha'

ActionController::Base.class_eval do
  include ValidatesCaptcha
  helper CaptchaHelper
end

Also, installation tends to fail with the following message. environment.rb doesn't get updated, but the plugin works.

ruby script/plugin install git://github.com/zendesk/captcha.git


$ ruby script/plugin install git://github.com/zendesk/captcha.git
Initialized empty Git repository in /xxx/vendor/plugins/captcha/.git/
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 16 (delta 3), reused 3 (delta 0)
Unpacking objects: 100% (16/16), done.
From git://github.com/zendesk/captcha
 * branch            HEAD       -> FETCH_HEAD
Adding CAPTCHA_SALT global variable to environment.rb
Plugin not found: ["git://github.com/zendesk/captcha.git"]

Do yourself a favor and don't use this

This captcha implementation suffers from a very simple replay attack. The plugin essentially adds a captcha image, a hidden/encrypted field, and a text input for the user to supply the captcha value.

Doesn't matter how you protect your keys, how you generate the images etc. You essentially allow the user to pick the image they want to supply the captcha answer to by putting the encrypted text in the form. In order to exploit any form using this plugin all you have to do is this:

Load up the form
Note the correct answer to the captcha image
Record the value of the hidden field

You can now refresh the page, replace the value of the hidden field with the previous one and supply your known good answer repeat as many times as desired. It doesn't matter what image is displayed all the controller helper validates is that the text you supply matches the encrypted text you also supplied. D'oh!

A simple solution is to store the encrypted validation field in the session rather than using a hidden input. Doing that makes this as strong as the captcha image that's generated. Which admittedly isn't very good but it's better than nothing I suppose.

Re: HEY FRIEND!

This Github issue is synchronized with Zendesk,

Zendesk ticket ID: 470
Priority:
Zendesk assignee: Social Media Group/A

Original ticket content:

HEYA! THERE!

On Mon, Sep 29, 2014 at 3:17 PM, Matthew Dunn [email protected]
wrote:

HEY!

zendesk / kamcaptcha Goto Github PK

kamcaptcha's Introduction

Kamcaptcha

Generating images

Runtime configuration

Copyright and license

kamcaptcha's People

Contributors

Stargazers

Watchers

Forkers

kamcaptcha's Issues

Rails 2.3.3 issues

Do yourself a favor and don't use this

Re: HEY FRIEND!

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent