[Security] Possible spam attacks

[PlanetTheCloud]

The token for the captcha is not locked. Therefore an attacker may spoof the token and the captcha.

Solution: Lock the token or use ReCaptchaV2 incorporating the Pull Request #19 .

[PlanetTheCloud]

Will add on v1.9

[aa22dev]

The token for the captcha is not locked. Therefore an attacker may spoof the token and the captcha.

Solution: Lock the token or use ReCaptchaV2 incorporating the Pull Request #19 .

We can use Re-captcha v2 (Invisible Re-captcha). That would be easy and simple I believe.

[PlanetTheCloud]

The token for the captcha is not locked. Therefore an attacker may spoof the token and the captcha. Solution: Lock the token or use ReCaptchaV2 incorporating the Pull Request #19 .

We can use Re-captcha v2 (Invisible Re-captcha). That would be easy and simple I believe.

Surely, we can try those out

[PlanetTheCloud]

Sorry, is ReCaptcha PAID?

Why do I get the message "Get unlimited assessments using reCAPTCHA Enterprise" https://www.google.com/recaptcha/admin/create

[ItsGamingTube]

Yeah it's free

[aa22dev]

Sorry, is ReCaptcha PAID?

Why do I get the message "Get unlimited assessments using reCAPTCHA Enterprise" https://www.google.com/recaptcha/admin/create

I am seeing the same message. Seems like google limit the re-captcha request to 1M users and for more than that we have to pay lol

We can try hCaptcha (The system used by Cloudflare to prevent bots spam)

Or instead of implementing re-captcha, we can add a simple math equation by using the rand() command to generate numbers from 0 to 9 with either sum or multiplication, which can also prevent bot spams.

[ImLoadingUuU]

Recaptcha V3 + hCaptcha?

[aa22dev]

Recaptcha V3 + hCaptcha?

Only hCaptcha OR ReCaptcha V2 (Invisible Recaptcha) having two types of bot spam protection systems isn't a good idea. Two requests will be generated to two different APIs impacting page speed.

[nabeelshaikh7]

You could use a ip limiter. And if the user it trying to use a vpn to access after the ip block you can block it.

Ipinfo.io has a good api for this use. They give you only a little amount of data like:

{ "ip": "8.8.8.8", "hostname": "dns.google", "anycast": true, "city": "Mountain View", "region": "California", "country": "US", "loc": "37.4056,-122.0775", "org": "AS15169 Google LLC", "postal": "94043", "timezone": "America/Los_Angeles" }

You could have some "org" in some sort of black list and when ever a person loads the page it will check the ip query it to the api and check the "org" and if it matches with the one in the black list we could deny it or if it is not in the black list it would allow it. And we can log the "org" only, so we can search the org and check it is a cloud provider or a vps provider and we can block it.

[aa22dev]

You could use a ip limiter. And if the user it trying to use a vpn to access after the ip block you can block it.

Ipinfo.io has a good api for this use. They give you only a little amount of data like:

{ "ip": "8.8.8.8", "hostname": "dns.google", "anycast": true, "city": "Mountain View", "region": "California", "country": "US", "loc": "37.4056,-122.0775", "org": "AS15169 Google LLC", "postal": "94043", "timezone": "America/Los_Angeles" }

You could have some "org" in some sort of black list and when ever a person loads the page it will check the ip query it to the api and check the "org" and if it matches with the one in the black list we could deny it or if it is not in the black list it would allow it. And we can log the "org" only, so we can search the org and check it is a cloud provider or a vps provider and we can block it.

I don't know whether org differs or not for the one using google dns, so we might run the risk of banning legitimate traffic. We can use ip block thing upon four signup tries but it can easily be bypassed using vpn. If there is some way to fetch the mac address of a user pc, then i beilieve it will be liable solution.