I want to know if it is possible to create a secure human detection mechanism (not using captcha) for a form with just javascript to detect mouse movement since jquery nor operating system code can move the mouse (so Im told).

Here is my plan:

1. With jQuery I can detect if the mouse has moved, and then allow a form to submit if it has.
2. I already have cross site scripting enabled so no one can submit directly to the site outside of the webpage, and Im requiring javascript to sumbit the form.
3. The mouse movement will add a value to the a mouse field in the form and the value is what will determine on the server side that it was submitted by a human.
4. The mouse field will use some form of algorithm that the mouse movement will seed, then decode it on the server side so a bot can just enter any value into the mouse field.

So Im wondering if there are still holes in this approach or ways for a bot to still bypass it.

I want to know if it is possible to create a secure human detection mechanism (not using captcha) for a form with just javascript to detect mouse movement since jquery nor operating system code can move the mouse (so Im told).

Here is my plan:

1. With jQuery I can detect if the mouse has moved, and then allow a form to submit if it has.
2. I already have cross site scripting enabled so no one can submit directly to the site outside of the webpage, and Im requiring javascript to sumbit the form.
3. The mouse movement will add a value to the a mouse field in the form and the value is what will determine on the server side that it was submitted by a human.
4. The mouse field will use some form of algorithm that the mouse movement will seed, then decode it on the server side so a bot can just enter any value into the mouse field.

So Im wondering if there are still holes in this approach or ways for a bot to still bypass it.

• javascript
• security
• captcha

• 1 What if someone overloads the mousemove function? – Travis J Commented Mar 15, 2013 at 23:49
• 3 What if someone has a program that simulates a mouse, which moves the simulated mouse? – user829323 Commented Mar 15, 2013 at 23:49
• 1 What if a person uses only tabbing and entering to focus on each form part and then hits enter to submit? – npage Commented Mar 15, 2013 at 23:51
• 4 What if someone doesn't use a mouse? Screenreader apps for example. – aorcsik Commented Mar 15, 2013 at 23:51
• why not have written instructions that a human can easily perform? For example, show a red, blue, and green dot and tell the user to click the red dot once and the blue dot twice – Jason Commented Mar 16, 2013 at 1:03

2 Answers 2

No it is not possible to create a secure mechanism that detects a human by relying on mouse movements. Check out the java.awt.Robot class for just one example of how to hack it using software only. I used this class to write an Easter egg into a program that jacks with the mouse and makes it dance some crazy patterns. The user's loved it ;-) You could also hack it with the USB Rubber Ducky.

Your method relies on something that would be trivial for a bot to do, unless you use mouse movements in some way I've not thought of.

No matter what you are doing with the mouse, at the end of the day, all you are doing is making a value in a form.

I'm not 100% sure how you plan to implement this, but if you are just tracking exact mouse location (which I'm not sure HTML will even let you do, but I could be wrong). A bot would be able to emulate that, either by setting the field to the location where you expect the mouse to be, or by moving a "virtual" mouse by adding the change in x and y to some value.

(This is all assuming that the bot would be able to understand your instructions of course. I'd assume that by writing, in plain text HTML, "Please enter the value '290' in the box below" most bots except one that was written especially for your site will be able to register...)