AspNetCore-ReCAPTCHAv3 icon indicating copy to clipboard operation
AspNetCore-ReCAPTCHAv3 copied to clipboard

Published 20 hours ago verified publisher icon huseyinsimsekk

serious logical mistake

Open dengere opened this issue 3 years ago • 6 comments

Posting to the server after testing from the client is a serious error. In this case; The server's post method can be called by unwanted requests. It should be verify every post method body...

        grecaptcha.execute('@siteKey', { action: 'homepage' }).then(function (token) {
            $.getJSON("/Home/Verify?token=" + token,
                function (data) {
                    if (data) {

//it seems ok but request could be passed unwanted requests. $('form').unbind('submit').submit();
} else { document.location="@Url.Action("Error", "Home")"; } }); });

dengere avatar Mar 15 '21 15:03 dengere

Hi, thanks for sharing this issue. I didn't understand exactly. Do you mean recaptcha verify control will be after form submit? Or Do you mean this way, when submitting form, user can send not correct data? I used google documentation. I checked again and I updated code but I think this is not about your issue. Can you give me detail or send PR? Thanks again.

huseyinsimsekk avatar Mar 16 '21 17:03 huseyinsimsekk

  1. Fetch token from Google before submitting.
  2. Submit your form with token. (You don't need to change your input model, http context will carry token to your controller)
  3. Verify token with your "secret" with any http client on your server side. Filter could be better for MVC controllers.

Why? We use recapthca for unwanted client not only users.

16 Mar 2021 Sal 20:12 tarihinde Huseyin Simsek @.***> şunu yazdı:

Hi, thanks for sharing this issue. I didn't understand exactly. Do you mean recaptcha verify control will be after form submit? Or Do you mean this way, when submitting form, user can send not correct data? I used google documentation. I checked again and I updated code but I think this is not about your issue. Can you give me detail or send PR? Thanks again.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/huseyinsimsekk/AspNetCore-ReCAPTCHAv3/issues/2#issuecomment-800449535, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMBD4NIPV4YDPIVWAXEEEDTD6GPNANCNFSM4ZGZ23KA .

dengere avatar Mar 16 '21 20:03 dengere

Thanks again. I see. I will try to apply this as soon as possible

huseyinsimsekk avatar Mar 17 '21 19:03 huseyinsimsekk

indirdim. kendi keylerimi appsettingse yerleştirdim. ama çalışıyor mu çalışmıyor mu anlamadım. başka herhangi bir ayar yapmama gerek var mı?

batu-han3428 avatar Jun 25 '21 13:06 batu-han3428

@batu-han3428 merhaba. appsettings e kendi değerlerini girmen yeterli oluyor. Google API değeri hesaplıyor (0-1 arasında bir değer olarak). Belirtmiş olduğun eşik değerine göre formu submit etmesini ya da submit işlemini durdurmasına karar verebilirsin. Ayrıca canlıda kullanacaksan Google Recaptcha servisinden canlı sisteme gelen isteklerin istatistiklerini zamanla görebiliyorsun. Örneğin 0.9 değerine sahip 100 istek geldi gibi.

huseyinsimsekk avatar Jun 26 '21 20:06 huseyinsimsekk

There is the mistake in the appsettings.json file there is comma in the RecaptchaThreshold value i think that should be the "."

Aman-Ansari-03 avatar Feb 08 '24 10:02 Aman-Ansari-03