RSS RSS feed | Atom Atom feed
Popular Articles: Tom Riddle's Magical Diary | AJAX Lego Robot | AJAX CAPTCHA | SQL Multisets

Using AJAX to deter Hackers - AJAX Security Part 2 of 3

How a Hacker operates

A spammer or a hacker do one simple thing while trying brute force to try to login to your site. They send an HTTP post crafted with the proper form elements and data without nessecary having viewed the actual login screen and form. Each time with a new password.
On the otherhand, what average Joe does is to first view your login page, type in his username and password...letter by letter.

Using AJAX to detect keystrokes

With some javascript and XMLHttpRequest we can simply send a small notice back to the server whenever Joe presses a keyboard button.


When the server receives a form submission from the client, the following can be detected

  1. Keys were pressed.
  2. Time differences between keystrokes.
If there are no key strokes in the session, or time differences between key strokes are in the order of what is humanly impossible, reject the login attempt.
Really fast typers can type in speeds of 20-30 characters a second, which is around 30-40 ms between keystrokes.
Argubable a hacker or spammer can simulate all this, but at their expense of higer bandwidth and processing power, which will avert them to spam or hack someone else less protected.
The argument of sending each mouse movement in Using AJAX for Image Passwords is now clear. The same keystroke / time delay detection can be applied using image passwords as well.

Try it!

Below is a simple login screen. To login as a human, type in the password apple and press Human Login.

If you press Computer Login, a small script will simulate sending off keystrokes in a very short period of time. The script on the server side will detect if it was you or your browser that was trying to login.




Time Twists

To boost things up further, it's possible to file the time between keystrokes while first entering your password. Next time you login the password on file along with a time delay pattern have to match to succesfully login.

More Buttons

Yet another way to boost security is by using the SHIFT, CTRL and other similar buttons as a "letter" in the password. Regular HTML forms does not support this. A javascript can detect that e.g. only SHIFT was pressed and would enocode it into the password string in a special way.

Source Code

Available here

Part 3, boosting security yet

Part 3 will discuess how it's possible to avoid having bots trying to login. Part 3 can be found here here
slashdot digg del.icio.us technorati [more]



Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

Very nice series of articles, thanks for the ideas. I have to admit, I consider myself a slow typist, but with my regular typing pattern the server considered me a computer (or rather superman, kind of flattering). But I guess the sensitivity can be adjusted.

Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

How about users that choose to copy and paste their username and password?

Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

Re: Using AJAX to deter Hackers - AJAX Security Part 2 of 3

If you first try the computer option, then copy-and-paste the password over the generated one, then click OK, then it thinks you are human...

Add a comment Send a TrackBack