NOJSCAP git repository: https://git.libroot.org/libroot/NOJSCAP.
NOJSCAP demo server: https://libroot.org/NOJSCAP-demo.
Modern browsers are bloated[1], turning your computer into a playground for exploitation. Having JavaScript enabled expands the attack surface significantly, and intelligence agencies like the NSA are well aware of this, using these vulnerabities for example to target Tor users.[2]
We advocate for websites that function without JavaScript, even in minimal or privacy-focused browsers, like in Lynx and Tor Browser.
We wanted to make a CAPTCHA that:
Works without JavaScript.
Is free software, self-hostable, easy to implement.
Is extremely lightweight, doesn't require user to install billion libraries or package managers.
Works pretty much in all computers and operating systems, even in fringe browsers.
Doesn't require solving annoying puzzles.
There are quite plenty CAPTCHAs out there that work without JavaScript, but they are either really easy for bots to solve (e.g. OCR'ing characters from the CAPTCHA image), they aren't free software, or they rely on some modern browser features (like CSS3 quirks, like those we've seen in some hidden onion services), or they force users to solve tedious puzzles or click through cluttered challenges.
So we built NOJSCAP, what may be the first Proof-of-Work (PoW) based CAPTCHA system designed for the web and which works without JavaScript and CSS, doesn't require any browser tricks, is free software, all while being extremely lightweight. NOJSCAP client is a simple CLI tool which works offline, and the installation doesn't require the user to have fancy package managers like cargo bun npm docker node go snap gem bla bla. It's simple to implement and the client is usable on nearly all operating systems and devices, even on smartphones like Apple iOS[3] and Google Android. NOJSCAP server isn't required to log anything about the users, such as cookies or IP addresses.
link to video
link to video
Here's how it works.
The NOJSCAP server generates a challenge and stores it temporarily in memory.
The challenge and difficulty are rendered on a web page.
The user runs NOJSCAP client, using the provided challenge and difficulty as arguments.
NOJSCAP client searches for a valid nonce such that:
hash = SHA256(challenge + nonce)The hash must start with a given number of zero bits (e.g., 20).
Mathematically this means:
SHA256(challenge + nonce) < 2^(256 - difficulty_bits)The user copies the discovered nonce and submits it to the server via a POST request.
The NOJSCAP server checks if the challenge exists in memory and verifies the nonce by computing:
hash = SHA256(challenge + submitted_nonce)and checks whether it has the required number of leading zero bits.
The NOJSCAP client is implemented in multiple languages, C, Python, Rust, JavaScript, and Go, so you can choose whichever one suits you best. Proof of Concept NOJSCAP demo servers are also written in multiple languages, Python (with Flask), TypeScript (with Express), and Go (with net/http+http/template).
Send us an email if you are using NOJSCAP, we'd like to see your implementation!
Notes and sources
[1]: For example Chromium has about 41.4 million lines of code and Firefox has 38 million:
Show data
Chromium: Total of 41,469,132 code lines. Firefox: Total of 38,061,118 code lines. $ git clone --depth=1 https://chromium.googlesource.com/chromium/src.git $ cd src $ cloc . 422363 text files. 396476 unique files. 98654 files ignored. github.com/AlDanial/cloc v 1.86 --------------------------------------------------------------------------------------- Language files blank comment code --------------------------------------------------------------------------------------- C++ 65945 2926156 1956009 15818060 HTML 105668 506076 96022 4687699 C/C++ Header 57789 1176852 1444326 3953866 XML 11686 126129 37312 3950477 JSON 8410 679 0 2748230 JavaScript 18506 373320 578373 2228919 Java 11212 311481 332333 1757700 Rust 3531 104343 229623 1387814 Objective C++ 6353 199967 146136 989566 TypeScript 6562 176440 205316 942048 Python 6616 201283 251212 828504 C 1453 115352 121435 621227 SVG 3777 9172 12350 298327 Markdown 3241 75848 11 259511 C# 211 13428 15630 154304 IDL 2683 16438 1 103902 CSS 1867 15176 10999 83572 Bazel 638 7435 4352 78908 Protocol Buffers 1535 26755 55780 78629 YAML 2305 6357 1473 73363 Objective C 174 10177 7441 64336 diff 252 4592 32631 46550 XHTML 1188 3041 2202 44180 PHP 808 4671 10631 29321 SQL 303 1095 1995 27353 JSON5 85 633 3480 25572 Windows Module Definition 25 47 63 22344 TOML 239 3436 2146 21484 Bourne Shell 371 4673 6094 20431 Perl 181 3886 4616 18043 CMake 126 1808 1848 17817 Starlark 143 2291 4366 13169 m4 17 1180 171 10567 Swift 101 1726 1954 9106 Ruby 57 1279 1028 7785 Assembly 49 1232 1478 6781 Kotlin 27 568 936 4315 Pascal 22 2463 11398 4313 DTD 6 20 209 3590 make 46 629 237 3044 Bourne Again Shell 50 530 690 2150 XSLT 83 143 86 2061 Vuejs Component 18 202 235 1910 Groovy 3 203 242 1713 TeX 2 2 11 1486 NAnt script 11 131 0 980 Windows Resource File 29 203 325 978 CoffeeScript 4 118 32 920 Gradle 3 43 70 908 Jupyter Notebook 6 0 1728 894 reStructuredText 40 740 852 871 WiX source 1 111 78 819 Handlebars 14 94 15 777 Maven 6 36 15 752 Lua 2 127 71 703 DOS Batch 38 183 91 696 JSX 5 112 60 677 Lisp 10 184 300 670 ANTLR Grammar 2 169 5 615 INI 98 88 1 560 Go 6 60 52 462 yacc 1 49 42 406 Elm 2 114 29 399 XSD 1 28 50 346 GLSL 11 85 122 264 Dart 4 31 7 195 vim script 6 52 95 191 awk 2 18 12 156 MSBuild script 7 31 15 133 Sass 7 24 0 130 Nix 3 22 62 104 Dockerfile 4 54 77 97 Mako 6 29 13 93 HLSL 3 8 9 63 WebAssembly 3 0 0 53 TNSDL 1 16 0 48 Windows Message File 1 8 7 46 ProGuard 1 0 7 19 D 2 10 70 17 sed 2 10 19 16 PowerShell 1 5 6 9 Standard ML 1 1 0 9 Arduino Sketch 1 4 5 8 Gencat NLS 1 0 0 1 --------------------------------------------------------------------------------------- SUM: 324710 6442212 5599223 41469132 --------------------------------------------------------------------------------------- $ git clone --depth=1 https://github.com/mozilla-firefox/firefox $ cd firefox $ cloc . 369844 text files. 356755 unique files. 35343 files ignored. github.com/AlDanial/cloc v 1.86 --------------------------------------------------------------------------------------- Language files blank comment code --------------------------------------------------------------------------------------- JavaScript 91906 1408671 2135886 7614396 C++ 14562 956150 820492 5567820 HTML 112833 544215 130551 5082307 Rust 12238 363620 725469 3822129 C/C++ Header 20928 679682 1214790 3235855 JSON 3222 940 0 2909506 C 4169 386361 634938 2787720 Python 10106 326123 369521 1400966 XML 8266 24416 322119 906045 INI 24131 370463 151 787811 Kotlin 4682 101650 82170 574139 YAML 2519 20663 12952 523547 Assembly 553 40325 35368 425792 TypeScript 1746 42679 45027 354955 Markdown 2295 71407 49 199952 XHTML 3421 22716 7790 193412 Java 1072 29091 70019 186115 NAnt script 2508 49563 0 164002 SVG 5131 8915 19860 155808 TOML 2408 37186 9347 139426 Bourne Shell 718 21894 24702 131667 CSS 1360 23220 11200 131327 reStructuredText 2188 91973 143630 117926 IDL 1215 16168 0 112877 diff 611 7820 41100 105055 Objective C++ 355 14460 10917 70389 Freemarker Template 378 12227 0 62231 JSX 257 3985 1913 36609 GLSL 1481 10593 10647 35254 m4 43 3028 504 27381 Windows Module Definition 56 309 1584 26462 CMake 166 3120 4350 23769 make 398 6184 8800 21439 Perl 62 2813 3012 12882 Sass 79 2586 490 12246 Bazel 48 962 901 12021 DTD 22 2731 6647 11273 MSBuild script 11 0 0 10419 Objective C 89 2068 1222 9558 Gradle 168 2227 1261 9404 TeX 1 814 3708 7205 C# 20 470 231 3844 Cython 13 420 215 3107 Protocol Buffers 45 1193 3412 3032 Pascal 19 778 6380 2811 Windows Resource File 72 594 623 2454 SKILL 4 68 2 2419 SQL 7 49 87 2212 DOS Batch 37 351 117 1986 yacc 2 383 348 1919 Swift 40 288 151 1753 Dockerfile 73 409 271 1641 Bourne Again Shell 29 266 432 1517 Gencat NLS 7 133 0 1463 SWIG 3 281 77 1362 Vuejs Component 44 78 22 1353 Starlark 8 87 83 1092 Ruby 15 275 120 1004 MATLAB 12 166 203 766 Expect 10 167 305 758 lex 4 149 207 686 XSLT 27 82 18 555 Korn Shell 5 83 165 526 PHP 2 140 288 436 Elm 2 114 29 399 Go 2 72 103 326 Lisp 2 42 38 258 HLSL 2 84 74 253 awk 3 54 4 249 Handlebars 8 5 0 247 Groovy 3 46 18 218 PowerShell 3 16 5 197 Visual Basic 13 1 0 150 Svelte 4 31 2 141 XSD 1 15 19 113 AsciiDoc 2 38 0 108 ProGuard 9 61 203 105 Ant 3 42 133 89 Nix 3 4 1 81 TNSDL 6 14 31 80 WebAssembly 54 3 0 74 WiX source 1 11 25 73 sed 6 13 27 72 Mako 1 0 0 31 CoffeeScript 2 7 4 13 R 1 8 18 12 C Shell 1 1 0 11 D 1 4 22 8 Cucumber 1 3 0 6 Elixir 1 0 37 6 Stylus 1 2 0 5 --------------------------------------------------------------------------------------- SUM: 339036 5721619 6927637 38061118 ---------------------------------------------------------------------------------------
[2]: Most people are aware of basic JS attacks like XSS or clickjacking, but these are just the tip of the iceberg. Over the years, far more dangerous exploits have surfaced, like Rowhammer, which broke hardware isolation to gain system-level access, or Spectre-based attacks that leak memory across security boundaries. WebRTC alone has 114 CVEs. With bloated and vulnerable browsers, exploits are endless. For example, just recently, researchers showed how JS can be hidden in favicons and executed bypassing typical security measures. NSA has attacked Tor users via vulnerabilities in Firefox.
[3]: Works in Apple iOS with a-Shell. Probably some other terminal emulator apps work as well.