Server side Captcha in ASP.NET Web API
Hi everyone,
In modern days the attacks on websites increased, Hackers are using different types cyber attacks to steal the people information and their credentials, One of the approach is brute force attack where the virtually masked person try to guess the username and password of a website by using different combination of username passwords. There are lot of websites are prone to this attack as they don’t have any solid security measures. To prevent these type of attacks, Websites need captcha implementation to prevent the automation of requests.
As the client side captchas has a limitation that they can only work in DOM and they can’t make your login APIs secure and I’ve developed a nuget package in .Net Framework to generation and validate captcha in server side with out using the application database.It create a small sqlLite db for itself to validate captchas and with just few lines of code you can integrate the captcha into the website, You can get it from this link or you can simply run this command
Install-Package SuperNova -Version 3.0.3 in nuget console manager to download the package.
Usage:
Initialize the Captcha Generator in the Global.asax.cs.
public class WebApiApplication : System.Web.HttpApplication
{
string captchaKey = ConfigurationManager.AppSettings["CAPTCHA_KEY"].ToString();
string captchaIv = ConfigurationManager.AppSettings["CAPTCHA_IV"].ToString();
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
captcha.initialize(captchaKey, captchaIv, 15);
}
}In the above function captcha.initialize() initializes the captcha code and it takes 3 inputs
- Captcha key is a secret key with length 16 (any string)
- Captcha IV is a initial vector value with length 16 (any string)
- captcha expiry in minutes (the above example sets captcha to expire in the 15 minutes.)
Captcha Generation in Controller:
[HttpGet][Route("GetCaptcha")]public dynamic GetCaptcha(){dynamic objdata = new ExpandoObject();try{string captchaData = captcha.randomString(4).ToUpper();string captchaEncoded = captcha.encodedImage(captchaData);string captchaChiper = captcha.encodedCipher(captchaData);if (!string.IsNullOrEmpty(captchaChiper)){objdata.captchaEncoded = captchaEncoded;objdata.captchaChiper = captchaChiper;objdata.status = true;}else{objdata.status = false;objdata.result = "Unable to load captcha";}return Ok(objdata);}catch (Exception ex){objdata.Status = false;objdata.result = ex.Message.ToString();return Ok(objdata);}}
In the above code captcha.randomString generates the random string for captcha generation. captcha.encodedImage is the base64 image of the captcha which we’ll show in the client side. captcha.encodedCipher generates the cipher which will send to client side and will again sent to server side along with user entered captcha value for verification. Please find the below code for captcha verification.
Captcha Verification:
bool isCaptchaValid = captcha.verify(captchaChiper,captchaData);captcha.verify method returns true if the cipher and the user entered values are valid otherwise it returns false.
Please leave a feedback and let me know if there is any bugs. So that I’ll make it more reliable…
I’ve load tested it and it providing almost 3200 captchas per minutes with 0 Error %.
Please find the test results below:
