Forter Exercise by Eliran Pe'er
A login page, with some client-side bot detection tricks.
Instructions
- Clone the project, and run
npm install
- Run the project using
npm start
- Navigate to http://localhost:3000/user/login
Login credentials
Email: eliran013@gmail.com
Password: Aa123456
Tech
Client
- Vanilla JavaScript
- Bulma, just for fun
Server
- JavaScript
- ExpressJS
- ElasticSearch
What's in there?
Bot detection
- Two bot traps - A semi-invisible anchor and an invisible password input. Using these elements will fire the
onBotDetected
event - Required mouse movement
- Fast input prevention - Type too fast and you're considered a bot
- Fast submit - Submit the form too fast and you're considered a bot
- Login attempts spam - Spam the form submittion while changing the input fields will fire the
onBotDetected
event
onBotDetected
The event itself isn't implemented, but you can think about it as if it bans the IP address or present a CAPTCHA (Same as Google CAPTCHA)
Server security
- I implemented access tokens middleware (Could have used JWT, but I thought it will be more fun)
- All of the passwords are hashed using a NPM package called
credential
(https://www.npmjs.com/package/credential). It uses pbkdf2.
ElasticSearch
The ElasticSearch is hosted on AWS. It's a trial, so it'll be available until 29.07.2017
Things I could have done
- HTTPS
- Serverside generation of bot traps - Generation of random bot traps in random places in the HTML, will make them less predictable
- JWT
- Detect bots by clicks
- RDP detections using mouse tracking
- Much more... :)