The captcha on the blog can be bypassed when posting comments

Question

when adding captcha component user could manipulate the captcha values as per the below .Could you please provide more inputs as how this could be avoid so that captcha value comes from server instead of UI value

< sling:include path="<%= captchaPath %>" resourceType="foundation/components/form/captcha" replaceSelectors="captcha"/>

when user feeds data on captcha input then the below is called for validation
Then internally call /libs/foundation/components/form/captcha/captchavalidation.png.jsp

here we see that user can input is valid on the :cq:captchakey .Using browser technique we could edit the value of key and then it validate only against that.

So the cq:captchakey can be manipulated as it does not come from server

String captchakey = slingRequest.getParameter("id"); -> This is the value coming from browser input if I am correct
String captchaUserValue=slingRequest.getParameter("captchaUserValue");

String captchacurrent = (Text.md5("" + (captchakey + mins))).substring(1, 6);
String captchaold = (Text.md5("" + (captchakey + minsold))).substring(1, 6);

Aem-user1 · Accepted Answer

The out of the box Captcha component seems to have limitations as you pointed out. If you want to run on on the server - i would recommend that you build a custom one using a 3rd party solution -- such as:

http://simplecaptcha.sourceforge.net/

Because this is a Java API for generating these values - you can build it as an OSGi.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded