when adding captcha component user could manipulate the captcha values as per the below .Could you please provide more inputs as how this could be avoid so that captcha value comes from server instead of UI value
< sling:include path="<%= captchaPath %>" resourceType="foundation/components/form/captcha" replaceSelectors="captcha"/>
when user feeds data on captcha input then the below is called for validation
Then internally call /libs/foundation/components/form/captcha/captchavalidation.png.jsp
here we see that user can input is valid on the :cq:captchakey .Using browser technique we could edit the value of key and then it validate only against that.
So the cq:captchakey can be manipulated as it does not come from server
String captchakey = slingRequest.getParameter("id"); -> This is the value coming from browser input if I am correct
String captchaUserValue=slingRequest.getParameter("captchaUserValue");
String captchacurrent = (Text.md5("" + (captchakey + mins))).substring(1, 6);
String captchaold = (Text.md5("" + (captchakey + minsold))).substring(1, 6);
Solved! Go to Solution.
Views
Replies
Total Likes
The out of the box Captcha component seems to have limitations as you pointed out. If you want to run on on the server - i would recommend that you build a custom one using a 3rd party solution -- such as:
http://simplecaptcha.sourceforge.net/
Because this is a Java API for generating these values - you can build it as an OSGi.
Views
Replies
Total Likes
The out of the box Captcha component seems to have limitations as you pointed out. If you want to run on on the server - i would recommend that you build a custom one using a 3rd party solution -- such as:
http://simplecaptcha.sourceforge.net/
Because this is a Java API for generating these values - you can build it as an OSGi.
Views
Replies
Total Likes