[5.1] A simple Captcha, which not every AI can solve

[Fedik]

Summary of Changes

Implementing a simple Math captcha. Independent from external services. To solve captcha User should do a math (It's a simple addition for now).

Testing Instructions

Go to Exctension => Discovery Install new plugin, and enable as default captcha (in global config).

Go to password reset (or any other form that use captcha). Try submit the form without solution, then with valid and invalid values.

Actual result BEFORE applying this Pull Request

Nothing

Expected result AFTER applying this Pull Request

Works

Link to documentations

Please select:

• [ ] Documentation link for docs.joomla.org:
• [ ] No documentation changes for docs.joomla.org needed
• [ ] Pull Request link for manual.joomla.org:
• [ ] No documentation changes for manual.joomla.org needed

[C-Lodder]

Just wrote a mini scraper in Node.js and was easily able to obtain the question and calculate the answer. Seeing as it's text based, it might be worth doing something similar to that of <joomla-hidden-mail>.

[brianteeman]

If we can't have something useful like a schema plugin in core how can we have this?

[Fedik]

it might be worth doing something similar to that of joomla-hidden-mail

hmhm, yea, some random markup could really be an improvement

how can we have this?

You saying it is not a good thing? thank you very much :)

[brianteeman]

@fedik I am not saying that at all. Just asking how we can have this and reject other stuff

[Fedik]

That a philosophical question, which life throw on us every day :)

For now, we do not have "this" also ;) It just an idea that I have seen on other sites and thought that it is not that bad for a very basic captcha. Can probably combine with "honeypot", will see.

[alikon]

@brianteeman are you referring about this one #42710 right ?

in my view remove all captcha from core +

This plugin would be a great benefit for the JED

if our goal is to have a lighter core...

anyway always hard to have a common opinion on this " dark matter" imho 😃

[sandewt]

Just a suggestion to check the answer by using the onDisplay function, maybe the following is useful?

public function onDisplay($name = null, $id = 'jform_captcha', $class = '')
{
    $html = '<input type="text" name="' . htmlspecialchars($name, ENT_QUOTES, 'UTF-8')
        . '" id="' . htmlspecialchars($id, ENT_QUOTES, 'UTF-8')
        . '" class="form-control validate-number required" autocomplete="off" required>';

    return $html;
}

[Fedik]

It already in use within display(), to render input. onDisplay is an old thing, in Joomla 5 we have a new api for Captcha, old onDisplay() changed to display() https://manual.joomla.org/docs/building-extensions/plugins/captcha-plugin

[sandewt]

@fedik Thanks for the information.

[Fedik]

@C-Lodder lets hack it again now :wink:

[Quy]

I don't understand what the input should be. Should the calculation be to add the two values - minus the value to enter to equal 2?

I left the value blank and I don't get an error message under Forgot your password?.

[Fedik]

hmhm, 237+4=241 maybe I need to add a dots 2... when need to enter half of solution?

[Quy]

hmhm, 237+4=241 maybe I need to add a dots 2... when need to enter half of solution?

Maybe 2 _ _? So the solution would be 41 and not 241?

[Fedik]

hmhm, I think ... or __ can confuse even more :smile:
I made with a different text, maybe that a bit better.

[sandewt]

I'm trying to test, but I do not see the sum with the input field.

[sandewt]

The result is visible in debug mode. This seems undesirable to me.

[Fedik]

The result is visible in debug mode

That is fine, who can see your debug on live site? :wink:

I'm trying to test, but I do not see the sum with the input field.

Did you make it work? I guess something missing while applying the PR patch.

[sandewt]

That is fine, who can see your debug on live site? 😉

That's something to discuss. But there is a simple solution by adding .secret

Line 151-...

        $this->app->getSession()->set($this->sessionKey . '.result.secret', $solution);
        $this->app->getSession()->set($this->sessionKey . '.idx.secret', $this->inputIdx);

See: https://github.com/Fedik/joomla-cms/blob/f132c0fde2643ae790d3fddfc7b9c7adcd07a21d/plugins/system/debug/src/Extension/Debug.php#L66

[sandewt]

That is fine, who can see your debug on live site? 😉

It happens sometimes, read: Joomla Community Magazine - How my new Joomla 4 website got hacked

In the end (below article):

... that her hacked website also was in debug mode

[Fedik]

Maybe, but it just a captcha :smile: I will look

[Fedik]

I have update the code, now it is hidden in debug bar

[sandewt]

Did you make it work? I guess something missing while applying the PR patch.

No :sweat:

[sandewt]

Source code: no input field visible

<input type="email" inputmode="email" name="jform[email]" class="form-control validate-email required" id="jform_email" value="" size="30" autocomplete="email" required>            </div>
</div>
<div class="control-group">
            <div class="control-label"><label id="jform_captcha-lbl" for="jform_captcha" class="required">
    Captcha<span class="star" aria-hidden="true">&#160;*</span></label>
</div>
        <div class="controls">
                    </div>

[Fedik]

Please check whether the plugin is enabled, maybe you unpublish it by accident. And whether all PHP plugin files are present:

layouts/plugins/captcha/math/mathcaptcha.php
libraries/src/Captcha/Captcha.php
plugins/captcha/math/math.xml
plugins/captcha/math/services/provider.php
plugins/captcha/math/src/Extension/Math.php
plugins/captcha/math/src/Provider/MathCaptchaProvider.php

[sandewt]

Please check whether the plugin is enabled, maybe you unpublish it by accident. And whether all PHP plugin files are present:

Fixed. The first two files from the list were not present. I have now added this.

[sandewt]

608 + 8 = 6 -> 608 + 8 = 616, so 16 is correct appears from the test

608 + 8 = 6 -> 608 + 8 = 616, so 61 is NOT correct appears from the test

I think a lot of people have trouble finding the right answer. If they already understand what exactly the intention is.

[Fedik]

I think a lot of people have trouble finding the right answer

Yeah, nowaday it hard to do math without calculator :smile: It also a pros, gives a time to think before submit the form :wink:

And, as you may noticed, it is random. Sometimes User need to enter a full number, and sometime only remaining digits.

[sandewt]

Yeah, nowaday it hard to do math without calculator

Completely agree, although this may differ per country. The following sum can be solved by most, in which one number is a multiple of 10 and the other number is between 0 and 9.

The question is whether such a captcha provides sufficient protection against external digital access by ensuring that only a person with the correct password can open the account?

How larger the range of the number to be entered, how smaller the chance of guessing the number.

[Fedik]

The riddle updates on each request, and resets on each submit. There also some other "invisible for human" things happens to confuse a regular bot. I do not think someone will brutforce captcha.

[crimle]

I have tested this item :red_circle: unsuccessfully on a006b7a5c70649a5f71ee4cf95f99d8e69dac639

I entered an invalid value and could nevertheless submit the form.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42777.}