developers

Protect Your Site from Bots with CAPTCHAs and JavaScript Challenges

Learn why your site needs protection from bots and how CAPTCHAs and JS challenges can help

Feb 9, 202310 min read

Bot is short for “robot,” and bots are applications that perform automated actions on the Internet. Although not all bots are bad, most have malicious purposes, from stealing sensitive information to attempting unauthorized access. Thus, bots can represent a security threat to any website. For this reason, you should consider “antibot” solutions to protect your site from bots.

An effective way to protect against these bot attacks is to adopt CAPTCHAs and JS challenges, two of the most effective and popular antibot technologies available. In this article, you will learn what CAPTCHAs and JS challenges are, how they work, and how you can use them to protect your website from bots.

Why You Need Bot Protection

A bot is a software application that performs automated tasks on the Web. Bots are specifically designed to automate tasks that would otherwise require human intervention or interaction. According to Statista, bots accounted for 42.3% of worldwide Web traffic in 2021. So, we really cannot ignore them.

The term "bot" generally has a negative connotation, but not all bots are bad. For example, search engines use bots to crawl the Internet. In this regard, you might have already heard about GoogleBot. In addition, bots are used to collect data for analysis and keep track of important metrics, such as the uptime of a website.

At the same time, there are also bad bots. These perform malicious actions, such as scraping sensitive data, spamming, and slowing down target websites with excessive requests. Unfortunately, malicious bots have become increasingly popular, and we have all come across a spam bot at least once on YouTube comments or Reddit posts. 27.7% of web traffic is due to bad bots.

For this reason, you need to protect your site from malicious bots. Bot protection involves techniques, technologies, and approaches to identify and block unwanted bots. With bot protection, you try to ensure that only human users and good bots can access your website, improving the general user experience. On the contrary, a website without bot protection is vulnerable to spam and DoS attacks, which could damage your site's reputation and lead to reduced performance.

Bot protection can be implemented in several ways and include many techniques such as blocking IPS based on their reputation, device fingerprinting, and behavioral analysis. Specifically, two of the most effective and widely adopted antibot solutions are CAPTCHAs and JavaScript challenges.

Let’s now learn more about them.

What Is a CAPTCHA?

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" and represents a challenge-response test used to determine whether a user is human. In other terms, a CAPTCHA typically involves a simple challenge that users must solve to gain access.

CAPTCHAs block automated systems, such as bots, from performing some actions on a website. Thus, CAPTCHAs are particularly effective in limiting spam and preventing non-human users from accessing specific resources or web pages.

How Do CAPTCHAs Work?

CAPTCHAs work by presenting users with a test that is easy for humans to pass but difficult for computers to solve. This way, they can distinguish between human users from automated bots.

There are different types of CAPTCHA based on the challenge presented to users. The most common ones are:

  • One-click CAPTCHA: Asks the user to click a checkbox to verify that they are not a bot. It works by tracking the user's mouse movements to check whether it resembles human activity.

An example of one-click CAPTCHA from reCAPTCHA

  • Text-based CAPTCHA: Shows an image of distorted text and asks the user to enter the text correctly into an input field.

A text-based CAPTCHA from SimpleCaptcha

  • Image-based CAPTCHA: It shows several images to the user and asks them to select only those of a specified type.

An image-based CAPTCHA from reCAPTCHA

  • Audio-based CAPTCHA: It requests the user to listen to a sequence of numbers or letters and enter it correctly into a text field.

An audio-based CAPTCHA from reCAPTCHA

Note that most CAPTCHA examples above come from Google reCAPTCHA. If you are unfamiliar with it, Google reCAPTCHA is a free service that provides effective CAPTCHAs to prevent automated software from engaging in abusive activities on your website. reCAPTCHA is one of the most popular CAPTCHA providers because it is free to use, easy to implement, and highly effective. Another popular CAPTCHA provider is hCaptcha.

CAPTCHAs: Pros and Cons

Let’s now dig into the pros and cons of CAPTCHAs as an effective bot protection solution.

Pros

  • Most online providers offer them: Many CDNs (Content Delivery Networks) and web hosting providers allow CAPTCHA integration with a few clicks as part of their bot protection offer.
  • Users are used to dealing with them: CAPTCHAs are so popular that online users have become familiar with them. Therefore, users generally know how to deal with CAPTCHAs and are not afraid of them.
  • Users trust them: For example, CAPTCHAs help increase the credibility of online polls and contests. So, CAPTCHAs can help a site increase its reputation.

Cons

  • For some users, they are challenging to solve: Due to accessibility issues, inexperience, or language reasons, CAPTCHAs may pose a challenging test for some users.
  • They take up user time: Solving a CAPTCHA requires user interaction and takes time. Plus, users may need several attempts to pass a CAPTCHA test.
  • They can become annoying: Solving online challenges to prove that you are not a bot is definitely not a fun activity, especially if you have to do it several times in the same browsing session.

Simply put, the main problem with CAPTCHAs is that they require user interaction. This interrupts the operation's flow and distracts users. For this reason, bot protection solutions that require no user action have become increasingly popular. This is exactly what JS Challenges are all about. Let's find out more about them!

What Is a JavaScript Challenge?

A JavaScript challenge - also known as a JS challenge - is a test that browsers run automatically to determine whether the user is legitimate or a bot. The web server sends the challenge to each client as JavaScript code embedded in a web page.

Since most popular browsers have a JavaScript stack, they will be able to understand and pass the challenge transparently. In contrast, bots typically do not have a JavaScript stack and, therefore, cannot pass the challenge.

How Do JavaScript Challenges Work?

JS challenges are injected into the HTML code of web pages and executed automatically by the browser. Once passed, the system sends a new challenge to the user only after a few minutes or if the browsing session ends.

Typically, a JavaScript challenge begins by verifying that the client can execute JavaScript. Then, the JavaScript code of the challenge executes. To verify that the user is legitimate, the challenge takes some browser and device characteristics into account. For example, a JS challenge may check for the presence of certain fonts.

This process may take up to a few seconds, but in most cases, JS challenges are executed without the user even realizing it.

Cloudflare JS Challenge's wall page

The most popular provider of JS challenges is Cloudflare, one of the leaders in the CDN market. If you enable the Managed Challenge feature, Cloudflare will send the client a set of challenges. These usually start with the non-interactive challenge above, which runs a JavaScript challenge behind the scene.

Note that when it comes to detecting if the user can run JavaScript, Cloudflare relies on Google’s Picasso fingerprinting protocol. This enables a server to verify the software and hardware stack of a client based on a few collected data.

JS Challenges: Pros and Cons

Let’s now take a look at the pros and cons of JS challenges as a transparent bot protection technology.

Pros

  • They are not intrusive: JavaScript challenges are executed automatically and do not require user interaction. End users have to be patient for a few seconds while the JS challenge is executed.
  • They do not require a backend: JS challenges can be executed without communicating with a server, making them a network-efficient antibot solution.
  • They respect privacy: JS challenges are executed in the front end and do not require storing user data.

Cons

  • They can be bypassed: Assuming that bots cannot run JavaScript is not sufficient to block them. This is especially true considering that headless browser technologies allow instructing browsers with no GUI to perform automated tasks.
  • You cannot rely solely on them: JS challenges represent the first level of a complete bot mitigation solution, which generally involves more advanced challenges.
  • They block human users with JavaScript disabled: Users who disable JavaScript execution in their browser for security reasons will fail JavaScript challenges. So, they will be mistaken for bots.

Bot Protection According to Auth0

Auth0 can help your website with bot protection. The Auth0 bot detection feature uses machine learning to identify bots and block them from performing specific attacks, such as credential stuffing attacks or list validation attacks. When a bot attack is detected, the Auth0 bot detection system adds a CAPTCHA step in the login or sign-up form to eliminate bot and scripted traffic. The Auth0 bot detection feature uses machine learning to identify bots and block them from performing specific attacks, such as credential stuffing attacks or list validation attacks. When a bot attack is detected, the Auth0 bot detection system adds a CAPTCHA step in the login or sign-up form to eliminate bot and scripted traffic.

Auth0 can introduce a CAPTCHA for security reasons in a login form

Note that you can configure the CAPTCHA provider directly on the Attack Protection dashboard. Keep in mind that Auth0 supports reCAPTCHA integration.

Auth0 bot detection has been proven to reduce bot attacks by 79% while adding very little friction to legitimate users, considering that less than 1% of CAPTCHAs are shown to human users. Also, Auth0 allows you to define an allowlist of 100 IP addresses to exempt them from bot detection measures.

Simply put, Auth0 offers advanced bot detection capabilities to protect its sign-in and sign-up features from bots and malicious users. With just a few clicks, you can activate the bot detection system directly in your Auth0 dashboard.

Conclusion

In this article, you learned what a bot is, why bot protection is important, and what the most popular antibot options are. In particular, you had the opportunity to learn more about CAPTCHAs.

CAPTCHAs present users with simple challenges that require some sort of interaction to be solved. Since this can be annoying for users, you may be looking for automated antibot solutions, such as JavaScript challenges.

You learned about the most popular JS challenges on the market and how they work. And finally, you looked at what Auth0 offers for detecting bots to protect login and registration forms.

Thanks for reading! I hope that you found this article helpful. Feel free to reach out to me with any questions, comments, or suggestions.