Add a Honeypot to Your Forms 🐝
ฝัง
- เผยแพร่เมื่อ 16 ก.ย. 2024
- Learn how to add a Honeypot to your forms 🐝
💖 Support me on Patreon ➜ / davegray
💻 Web Dev Roadmap for Beginners (Free!): bit.ly/DaveGra...
🚀 Discord ➜ / discord
👇 Follow Me On Social Media:
GitHub: github.com/git...
X: / yesdavidgray
LinkedIn: / davidagray
Blog: www.davegray.c...
Another defensive approach is using the infamous 'are you a robot' questionnaire 😂
And the bot is from Google 🗿 can bypass “Are you robot?” Because they own the server
You don't want to ruin customer experience
and hide it
@@FirstnameLastname-cl4opxD
Googles ReCaptcha is only around $0.003 per solve, if you pay someone to do it. This includes the invisible ReCaptchas.
A few things about honeypots I learned over the years:
-) Don't got name="honeypot" or something along the lines, bots can filter that. Same with style="display:none".
-) It's not 100%. Depending on the quality of the bot, they can detect if a field is visible or not.
-) Auto-Fill could (not sure if modern browsers still do that) fill the field even if it's a legitimate user. This makes finding a name and label a bit harder, since best case is that it looks like a legitimate field so more sophisticated bots don't notice the pot outright, while at the same time choosing something that won't get auto-filled by the browser.
-) Honeypot is just one of many ways to prevent bots. Especially if it is a targeted attack it does nothing. From a security standpoint, treat it like a sign on the front-yard that says "don't come in please!": Best combined with other measures.
All good tips!
An approach that bots cannot flag down is setting the field's position to fixed and moving it to negative coordinates so the user can never see it.
@@the_agent_z Couldn't the bot just check if the position value is negative?
How do you prevent users with screenreaders from accidentally filling the honeypot input?
@Rocco-tb9ih ofc bots can detect that but the thing is this is not so common so average bots arent programmed to handle this so you are basically outsmarting the bot cuz the hidden field nowadays is an old trick almost every bot detects it and doesnt fall to the trap this one is a little bit just a little bit safer but still as the guy commented you need other measurements
Bonus points if the hidden field is an "I am a robot" checkbox
😆
I think you're onto something.
Smooth advice as always. Thanks, Dave.
Damn, this just expanded my horizons. Good tip.
"And now u know what to do when....building a spam bot"
😆
It's all about reducing the number of bots but not eliminating it
Element API: checkVisibility
@@ShortFilmVD It can have zero size but still be technically visible, as it was rendered
@vilkillian quite right, better to simply use a headless browser and tab through the focusable inputs. If the honeypot is able to be focused and filled this way the form would also disadvantage users of screen readers.
I recently learned about such a field but regarding time to fill the form out. Bots are much faster than most humans. Taking time after first load to submission into account can reduce spam even more
Password managers, though!
@@_KrakenDeveven with a password manager you’re orders of magnitude slower
We’re talking 300ms vs 1.5 seconds
can't the bot slow itself down, like fills a field every 500ms ?
Back in the early 2010s this was stupidly effective against spam bots. I am surprised at how long I got away with it and nothing else for spam mitigation. Eventually I added a login system and other features to mitigate but man you could ride that for years back then.
That sounds pretty easy to detect/bypass, you could instead make the textbox very small and match the colour of the background. I'm sure a majority won't be able to catch that. But then again, if the attack is targeted, it's very easy to just write site-specific automation tests.
I like that this still allows hobbyist web scrapers in (who would probably only be filling in the visual fields)
Actually very smart 👏🏻.
Awesome, thank you for the information!
one of my approach is to prevent pasting into the field and listen to input keyup event, if the time difference between chars are to fast, i detect it as a bot,
This is why i love watching your videos! Unique topics. Thanks Dave!
first time i see a short of yours
thank you Dave!
Just want to say thank you for your content. I'm currently working my way through your react tutorial, great stuff.
You're welcome!
Smart and glance! Thanks for the tip
This is a genius solution ❤. Best TH-cam teacher for webdev. I have learned so much from you sir. Thank you for such beautiful content.
You are most welcome!
simple and to the point, thank you :)
Amazing. I am following you since the beginning of my dev career. Every video and lecture has been so helpful. Thank you sir.
Very easy to bypass with bots that skip "hidden" elements and also RPA bots that use OCR to identify visual fields. But it should stop low tech bots which might be more common.
Well, the more processing a spam bot has to do, the less efficient it becomes.
You’d need to check the css and maybe even the javascript for a potential hidden element. Now the spam bot is at half speed for the 10% that actually do this.
For OCR, the bot would have to use a webbrowser, or an online service to render the page. Unless it’s a guided attack aimed at you, it’s unlikely to encounter this.
Just my wild guess tho
even if some bots bypass it it's better than if all if them do it
@@core36 OCR bots can run hundreds of browser instances per mini PC of compute. But I agree that its not something you use against just anyone.
ocr botting is pretty resource heavy no? All that to attack a random website they happened to crawl to?
@@deanwilliams433 I would disagree, even if you’re using a headless browser (which most modern webpages can detect) OCR botting is very resource intensive. As someone said, it’s not efficient unless you’re targeting someone in particular, not just a random crawler.
This is such a clever approach! You got a sub
Simple solution I never thought of
For the people watching keep in mind that this usually only works for low effort bot attacks, as you can program to avoid unknown text fields, like giving the bot the parameters that only a human would see. Now this could be played around with for instance having multiple different versions of the form, so that it requires more effort to write. But yeah that's not to discredit this idea or technique it's just further context
@@SimonWoodburyForgetfilter by visibility, scale, and position
Thank you for lettings me know. Now to fix the bot.
great resources for learners.
Learned something new today
That’s so smart, I would never have thought about that
great advice, have been doing this for 15+ years. although, I detect it in PHP and silently fail so theres no tell. it's worth logging the credentials of the request also, make sure it's not erroring out and blocking genuine ones.
Good addition!
Hope that you realize that Chrome’s autofill can also fill those honeypot fields, so you might very well be throwing away real users.
@@jeffh4581 not a huge issue, especially back when I started doing this as there wasn't really autofill as we know it today.
that's also why I name the input something that's not going to get autofilled, like a uuid type string. Also you can use autocomplete attribute set to false on inputs to prevent auto fill. (And the tab step ignore one - for accessibility)
And as mentioned, I log credentials to double check false positives and adjust based on any found. Finally my php code usually has an IP and email limiter to stop multiple submits.
Nowadays though, I usually have a csrf token on the form also.
@@jeffh4581 ok I replied explaining why this isn't an issue but it seems the powers that be (yt) have removed my reply!
So I'll just say, this isn't an issue...
Awesome info Dave!
Oh wow, this is clever. Thanks!
Holy shit this is actually really clever
I will never ever use this information in any sort of way, but that's really cool and smart
You can still determine what fields to fill in by looking at the html. Or downloading the webpage and exploring
True. If you are specifically targeted. This does reduce lots of bot traffic that doesn't specifically target your form.
That's why the reCAPTCHA exists, bots can check input fields attributes
Yeah, didn't say it would eliminate bots completely, but it will greatly reduce bot submissions.
That's interesting I've never heard that before 🤔
Thank you this is great.
I like that idea, it's very easy to implement comparing to captcha.
Thanks Dave!
But also way less effective lol
@@Pokedollar Sure
Works for the simple ones I guess but it's fairly trivial for a bot to check whether the field is set to hidden. A better solution might be to make the element appear outside the bounds of the form and turn overflow off? Still a great video and would probably block a fair few 👍
This is brilliant
Thank you, I'm making a website and this is super helpful to know before I lock it in
Glad it was helpful!
Easiest way is to use a CAPTCHA system and also feed in data profiling with AI which will make sure that very low bots pass after getting past captcha
Thank you so much. Really helpful
Popular terms like: hidden, hid, Honeypot, disable - bots will filter term out
That's a very simple but smart move. Nice.
what about accessibility? a Tab based navigation with the help of a screen reader must ignore it otherwise it generates confusion. I don't see a tabindex or something that removes it from navigation :)
Also, completely ineffective against good bots who can analyze the form structure
ohh yeah
bot was probably written in Python, send response with malformed json and eval strings then escalate.
Well now this is useful. Since i make web crawlers "for a good reason".
I respect web developers since i am also one.
I just want to automate some regular tasks.
Seems like a useful method to keep out lower end bots.
Twitter should use this stuff
Yeah, no. Users like the browsers’ autofill feature. We had a honeypot like this for 6 months before we found out that Chrome ignores “autocomplete=false” and we basically denied 50% of our users to create accounts.
Be VERY CAREFUL with this. False positives are a huge issue here.
Interesting. Sounds like a Chrome bug? I'm going to experiment with this. I agree with testing this (and everything) well before production.
Yes, Chrome is really aggressive regarding the autofill-issue
@@DaveGrayTeachesCode Unfortunately, it is not a bug. Chrome and other browsers pretty much ignore autocomplete="false" as a defacto standard, with the justification that developers should not be in control of when to allow auto-fill or not instead of users. This has created so many issues over the years where I have had to implement work-arounds for web-based CRMs and other crud apps where the user is intending to enter someone ELSE's information rather than their own.
That's hilarious 😂
@@trapfethenThis seems like a huge security issue if someone can just add hidden form elements with common identifiers from other forms and capture the default values of people's usernames and whatnot. For some reason I feel like security > browser deciding when to autofill. Hell, 90% of the time forms I want to autofill won't autofill so this just doesn't make a lot of sense to me.
Spam bots could also just send new http request and skip filling out the form in the ui? That can just be prevented by requiring a captcha
if bots can directly send requests to your API without any checks or balances, you have bigger problems
lol learned! thank you
Wow this is genius. Good job.
Super smart thank you
That's Actually pretty smart
You are a lifesaver man. 🙏🏻
This is genius, honestly
Thanks Dave
Thanks dave!
You can program the bot to bypass that also.
Of course you can. This catches most.
Wow nice, thank you sir for this good idea
I just Subscribed. Thans for the Info.
If you render the form with JavaScript and add a captcha that will reduce 99% of bots.
I want to do this and label the entry "web-crawling spambot says what?"
Pretty awesome thanks
Love this
I was wondering how to handle this!!! Thank you!
Depends if its an automated bot crawling and finding the website vs someone creating a "bot" for the specific website
True!
thanks for letting me know, i’ll fix my bot
thank you so much for the tip
As always the best..!
Great content, so much to learn
Thanks Dave ❤
This is wonderful.
Man discovers ancient technique
I am an ancient man 😂
Good idea
Thats genius
quite ingenious
Another option is to simply generate two random numbers between 1 and 10 and ask for the sum of both of them in order to submit the form. This alone will prevent 99% of bots.
Please help me understand why this is effective? Wouldn't it be easy for a bot to perform this operation?
@@volt8399 if someone was deliberately trying to program a bot to get get around protections on _your_ website, You're correct it provides little protection. But most bots don't know anything about your website, what fields to enter, or what operation to perform.
Just like with the above solution, if the person knows that it's there they could write a bot to avoid it. But that one extra step is enough to prevent 99% of bots.
Thanks a lot man❤
Not necessarily, if the bot was written specifically for a page like with Selenium the person who wrote it will choose which boxes to fill in beforehand and it will ignore everything else
Correct - this method will not eliminate ALL bots - especially if you are targeted. Never said it would. It will significantly reduce the issue with generic bots.
Assuming all bots fill out all data just sets you up for failure
Speaking in general terms. Not assuming all bots will do anything. Any specific bot author can target your website.
Bro, this is gold. You avoid having to implement one of those annoying capcha
And this is why I write my spam bots as Selenium scripts.
I love this guy!
How well does this work regarding accessibility?
Answered this several times in the comments. Display none removes it from the accessibility tree and that's what you want here. The input is not for humans.
another way is make the default submit button hidden
and the correct submit button run a javascript that flags it as human input cause bots will try missing fields to avoid this
as bot field cant be made required
Man this helps me❤
I've been doing this for years, I never knew it was called a honeypot. I thought it was something I invented... hahaha
One thing comes to mind is Screen Readers for visually impaired folks.. this will for sure mess with it. like it’s a good idea, but not a fully thought out execution.
display: none; removes the input from the accessibility tree as it should. That's what my hidden class does here.
Bot Creators: Hmmm, don't fill visually hidden fields... got it.
If they only all listened to me lol
Thank you..😊
I was thinking , was there something like that I could vide in. You read my mind.
Thanks for this 👏👏👌
nice one ...rhank...❤
That would only work for bots randomly wandering around, if someone targets your website he can EASILY get arround those tricks, in that case captcha's are the way to go, there are even hidden captchas that can detect bots without bothering the user, but ofc they're paid 😅
You are correct sir!
This works, if you use a token also. Just a honeypot is not the greatest solution. Normally u REuse the the http request to flood the database, which was requested 🧐
Fabulous!
I'd just use invisable Google capcha, or whatever Foss alternative tickles your pickel
This is security by obscurity. A better approach would be actual bot detection through the use of interactivity.
I agree that combining this with some of the other suggestions here in the comments is a good approach.
Only issue I see is that more sophisticated spam bots will ignore fields that are hidden, either by looking at the field's attributes, AI image recognition, or some other means of analysis. This would be a more sophisticated attack, so not that common, but it can happen.
I would think spam bots would be smart enough to check for type=‘hidden’ or display:none?
wow simple and efficient.