invisible captcha

Question

I'm using the following security(invisble captcha) for my site's form submission to prevent auto submission:

1. generate the result of md5 with a fixed salt on number x and render it inside the form as a hidden field
2. generate 2 hidden fields a and b where a + b = x, a and b are unencrypted
3. upon submission, use javascript to add another plain hidden field c where c=a+b
4. on server side apply md5 on c with the salt, compare it with encrypted x

However such system is cracked in production, one person was able to auto-submit thousands of forms successfully. Any idea how?

One way to do it is, the hacker already knows that the operation is + (simple to find out by observation of javascript), read the form and add a and b, create a new form with the extra c field where c=a+b. He has to first read a form, then create one for submission.

My questions are:

1. Is the hypothesis I presented above the likely way to break my system?
2. If so, what should I do to prevent this kind of hack?
3. What are other alternative hacks the hacker might use?

I don't want to use real captcha because it degrades user experience. All suggestions are welcome.

Answer 1

Alternatively, the hacker could just execute your javascript themselves.

If you want to validate that the user isn't a robot, you'll have to get the user to do something a robot can't. It's really that simple.

Answer 2

I can't give advice in your specific case, but Django has some nice approaches, how spam in comment fields could be supressed without captchas: Nice approaches here.

Answer 3

A further step would be to increase the amount of computation required; make it infeasible to submit the forms too rapidly. Try looking at HashCash.