https://github.com/bluzi/forter-ex

Home exercise for Forter.com - A login page, with client-side bot detection tricks.
https://github.com/bluzi/forter-ex

bot-detection bot-traps elasticsearch es6 expressjs javascript

Last synced: about 2 months ago
JSON representation

Home exercise for Forter.com - A login page, with client-side bot detection tricks.

• Host: GitHub
• URL: https://github.com/bluzi/forter-ex
• Owner: bluzi
• Created: 2017-07-15T15:14:56.000Z (almost 9 years ago)
• Default Branch: master
• Last Pushed: 2025-12-31T10:59:24.000Z (5 months ago)
• Last Synced: 2026-01-04T16:12:11.858Z (5 months ago)
• Topics: bot-detection, bot-traps, elasticsearch, es6, expressjs, javascript
• Language: CSS
• Homepage:
• Size: 111 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 26
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Forter Exercise by Eliran Pe'er

A login page, with some client-side bot detection tricks.

## Instructions

1. Clone the project, and run `npm install`

2. Run the project using `npm start`

3. Navigate to http://localhost:3000/user/login

# Login credentials

*Email*: eliran013@gmail.com

*Password*: Aa123456

# Tech

## Client 

* Vanilla JavaScript

* Bulma, just for fun

## Server

* JavaScript

* ExpressJS

* ElasticSearch

# What's in there?

## Bot detection

* Two bot traps - A semi-invisible anchor and an invisible password input. Using these elements will fire the `onBotDetected` event

* Required mouse movement

* Fast input prevention - Type too fast and you're considered a bot

* Fast submit - Submit the form too fast and you're considered a bot

* Login attempts spam - Spam the form submittion while changing the input fields will fire the `onBotDetected` event

## onBotDetected

The event itself isn't implemented, but you can think about it as if it bans the IP address or present a CAPTCHA (Same as Google CAPTCHA)

## Server security

* I implemented access tokens middleware (Could have used JWT, but I thought it will be more fun)

* All of the passwords are hashed using a NPM package called `credential` (https://www.npmjs.com/package/credential). It uses pbkdf2.

## ElasticSearch

The ElasticSearch is hosted on AWS. It's a trial, so it'll be available until 29.07.2017

## Things I could have done

* HTTPS

* Serverside generation of bot traps - Generation of random bot traps in random places in the HTML, will make them less predictable

* JWT

* Detect bots by clicks

* RDP detections using mouse tracking

* Much more... :)