I am working on maintaining some page developed by someone other. I have noticed, that forms are secured by some kind of image CAPTCHA, which is generated every time user enters page. CAPTCHA is stored in hidden input named check, and value entered by user is compared with value from hidden input after submitting form.
I have tried to use cURL to read page and parse CAPTHA from that hidden input.
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, "http://example.com/form/");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curl);
$html = str_get_html($result);
$captcha = $html->find('input[name=check]');
var_dump($captcha[0]->value);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, array(
"name" => "Joe",
"telephone" => "1423456789",
"message" => "Lorem ipsum",
"auth" => $captcha[0]->value,
"check" => $captcha[0]->value,
"submit_f1" => "Send"
));
$result = curl_exec($curl);
curl_close ($curl);
Running above script causes correct form submit. What is more, I have noticed, that I can simply overwrite auth and check values in post array:
"auth" => 123,
"check" => 123,
and form is being submitted correctly as well.
I realize that there is not 100% safe method to secure forms, but how can I protect my form a little more and make automated submitting a little harder.
The idea behind any challenge-response system is that you keep the response (the code) hidden and only show the challenge (the image).
You would typically use session to accomplish this; you store the response in the session and show the challenge. Once the correct response is entered you can clear the response session variable to prepare the system for the next challenge.
The following code only serves to illustrate the idea.
Showing CAPTCHA
Validating CAPTCHA