vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.6 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=194)
-   -   Mini Mods - Harmor's Bot Protection (https://vborg.vbsupport.ru/showthread.php?t=144719)

harmor19 04-12-2007 10:00 PM
Harmor's Bot Protection
 
Here is a demo

Let me explain how this works.

On the registration page a potiental user has to enter a random character of a word.
I have done something different though. It randomly selects a username from the database to be used as the word.

Some of you may be asking "Can you explain how it does the checking"?
On the registration page I have a hidden form that contains a hashed version of the correct character. After the form is submitted it checks if the the hashed version of the character you typed against the correct hash.

If you installed this hack you can enable it by going to
vBulletin Options --> User Registration Options
The option to enable/disable the feature and to add your own hash are at the bottom.


If you are upgrading this hack you'll need to edit the "register" template.

Go to your ACP >> Styles & Templates >> Style Manager
Expand the template you want to edit.
Expand the Registration Templates category

Open: register
Find:
HTML Code:
What is the first character of <b>$ahbot[username]</b>?
Replace with:
HTML Code:
What is the $char_loc character of the word <b>$ahbot[username]</b>?

harmor19 04-13-2007 01:31 AM
If you find any way that bots can get pass this please tell me.

BlackScorpion3 04-13-2007 01:40 AM
Nice....I may use this at a later date.......

rjmjr69 04-13-2007 02:27 AM
Nice I like it simple and surely should be affective.
Feature request
Can you make it so the amount of required text can be adjusted? So say instead of just the first letter could be the first 2 or 3 or etc etc? Only problem I see with that is the length of the username that gets picked to display say the username that is showing at registration is only 3 characters long but its set to require the first 4? Something that can be worked around?

I like how this does not require the making of a custom profile field I hate making those.

Shazz 04-13-2007 02:28 AM
Creative, Nice, Excellent. Not much more to say :)
[high]* Shazz won't use it but had to take a peek :)[/high]

Queball_Beast 04-13-2007 03:35 AM
Sweet idea i`ll be installing this after work 2morro:)

Clicks install:D

PoetJA-1975 04-13-2007 07:09 AM
nice mod - Thanx for the sharing!

Jacquii.

harmor19 04-13-2007 07:20 AM
Quote:
Originally Posted by rjmjr69 (Post 1226396)
Nice I like it simple and surely should be affective.
Feature request
Can you make it so the amount of required text can be adjusted? So say instead of just the first letter could be the first 2 or 3 or etc etc? Only problem I see with that is the length of the username that gets picked to display say the username that is showing at registration is only 3 characters long but its set to require the first 4? Something that can be worked around?

I like how this does not require the making of a custom profile field I hate making those.
I thought of that too but I think that randomly selecting the character would be better.

Thanks everyone.

projectego 04-13-2007 08:01 AM
Looks good. Thanks! ;)

[high]* projectego clicks install[/high]

Pyrix 04-13-2007 12:09 PM
Sorry, but this is incredibly easy to bypass - in fact I can think of two ways that this can be done...

MD5 Hash Table.
I could easily create a small array of hashes for each 'possible' answer. As the chances are that most of the time the character will be alphanumeric, i will only need A-Z,a-z and 0-9. All i have to do is hash each of these letters in turn and store them in a small array (62 cells)

For example

$answer[0cc175b9c0f1b6a831c399e269772661] = 'a'
$answer[92eb5ffee6ae2fec3ad71c777531578f] = 'b'

Now all i have to do is look up the value stored in the array with the key that matches your 'hidden field' value and put that letter in the field.

Look at the webpage
Alternatively, I could just look at the webpage. Unless I'm missing something, you give me the username in plain text. All i have to do is look for the value given after 'What is the first character of '?

This is the very reason that vBulletin uses CAPTCHA - it's an image so cannot just be 'read' in this way.

You may however get some 'security through obscurity' - bots need to know about your hack before they know what to do. But that would only take time and popularity.

Sorry to rip it apart so badly, but you did ask if there was any way bots could get past it.

Keep at it :)

Ollie

Pyrix 04-13-2007 12:12 PM
Just thinking, you may be able to secure it a little more by appending the vbulletin license number (or a random string stored in vb options) to the character before you hash it (both times). This is known as 'salting', and would make the 'MD5 hash table' bypass much, much harder. You might want to Google that and read up on it :)

Don't know what you can do about the other thing though - you could turn it into an image but then what advantage does it give over vb's default captcha?

harmor19 04-13-2007 01:19 PM
Can bots read the source code?

DiSpy 04-13-2007 01:41 PM
Pyrix is right, salting the hash would work wonders... may I suggest letting the admins choose their own salt in the admin CP. That way each board has it's own salt.

The second issue about the bot automatically "looking at the webpage" for a value, can also be solved using the admin CP. Just let users customize the question in thier own words, and customize the title (where it says "Harmor's Bot Protection" and "What is the first character of" in the screen shot).

Also, I was thinking... how hard would it be to allow the admin to choose EITHER the 1st, 2nd, 3rd character the users should enter (set via admin cp). This would make is at least not exactly the same on all boards, and since vB has min usernames set at more than 3, it should always work.

Just my $0.02 cents.

harmor19 04-13-2007 02:22 PM
Hopefully I increased the security of this hack. It now selects a random character instead of asking the user to enter the first character.

Here is a snippet of code I added.
PHP Code:
if(empty($vbulletin->options['harmor_bot_protection_hash']))
{
  $vbulletin->options['harmor_bot_protection_hash'] = "gwetg7gaswegty7sawfrtq2w6t";
}

$word $ahbot['username']{$ah_rand 1};
$hash md5(md5($word).$vbulletin->options['harmor_bot_protection_hash']); 
The screenshot has been updated as well. Attachment 63065

Mr Chad 04-13-2007 04:20 PM
Quote:
Originally Posted by harmor19 (Post 1226696)
Can bots read the source code?

of course they can...

they filter through the source to find hash's so they can do things (and the hashs were made to stop them).

harmor19 04-13-2007 04:29 PM
Quote:
Originally Posted by Mr Chad (Post 1226844)
of course they can...

they filter through the source to find hash's so they can do things (and the hashs were made to stop them).
Thanks for answering my question.

smess 04-13-2007 09:53 PM
what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??

harmor19 04-13-2007 10:06 PM
Quote:
Originally Posted by smess (Post 1227041)
what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??
I didn't take that into account. I'll update the hack soon. Thank you for pointing that out.

harmor19 04-14-2007 07:14 AM
Quote:
Originally Posted by smess (Post 1227041)
what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??
I have updated the hack to remove spaces in usernames. "no gas" becomes "nogas".

TeamDevotion 04-16-2007 04:12 AM
Isn't this the point of image verification?

harmor19 04-18-2007 01:44 PM
Quote:
Originally Posted by TeamDevotion (Post 1228754)
Isn't this the point of image verification?
Yes, but sometimes the image verification can be hard to read.


All times are GMT. The time now is 04:59 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01117 seconds
  • Memory Usage 1,770KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_html_printable
  • (1)bbcode_php_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (21)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete