Friday 24 January 2020

Making It Hard For Humans and BOTS to use SELECT Inputs

How To Ensure A Human Has To Select From A List Rather Than Just Hitting A Letter, Word or Number

By Strictly-Software

I noticed something the other day when logging into Halifax my bank, when you get to the memorable information form, you have to select 3 letters picked by random from your word

They will have 3 List boxes and they will pick 3 positions in your memorable phrase to select e.g letter 4, 7, 15.

I used to be able to just tab though the list boxes and hit the right letter or number and get it selected but no more.

At first I thought it might be something to prevent BOTS from using the form, and preventing bank fraud etc but when I inspected the SELECT inputs they used I noticed they were doing something else,

They have just put non breaking HTML space entities in front of all the values and options e.g


<option value="&nbsp;a">&nbsp;a</option>

So they have just put a space character in front of the value and in the viewable list. However they haven't used a space as in a " " gap, they have used an encoded space as quick fingers would easily be able to select the box and hit the space bar and the letter to get to their value.

However it's not so easy to write out a whole &nbsp; character and the letter to select it without using your mouse.

I don't know how this would effect BOTS however as someone who is designing a site for phising attacks would examine their HTML code and could easily write something that passed 3 letters to the server on submit with a non breaking space in front of them e.g &nbsp;a.

However it certainly makes sure that a human actually pays attention and USES the select box with a mouse rather than tabbing through.

If anyone can see how this increases security on Bank forms let me know as seems to not prevent BOTS - unless automated and those who don't know where they are from attacking a page. It might mean the rewriting of a generic intrusion tool to handle list boxes like this but that would be easy.

It just seems to make it harder for legitimate users from using their fingers and not the mouse from what I can see. However it does make sure you are more careful when entering the values. So maybe that is all they wanted to do.

If anyone can see any other reasons why putting a non breaking space character in the list box options is a good idea let me know please.

By Strictly-Software

© 2020 Strictly-Software