Fighting h@ckers with Google Recaptcha v3

[bdebon]

For now, the website can easily be hacked. Someone with little knowledge can send a request with a new fake IP every time and voting 1000th times easily for the same response. This is what happened with Php vs JavaScript. A backend dev discovered the breach and decided to put 6000 votes for PHP... Don't worry, we will catch up with these 6000 fake votes with 6001 real people's vote for javascript.

To fight this, several solutions has been proposed

• auth or auth0 : I don't want any authentication system that would break the fun and the friendly ux.
• Entering a mail: I don't want either
• Using Google Recaptcha v3 to generate a token than the person must attach to his request

I like this last solution but I don't have too much time to dig into how to implement that but if someone wants to do it... You're welcome!!

[kmartin91]

(recaptcha entreprise / V3 / V2) https://www.google.com/recaptcha/about/

Don't break internet again, it might cost you a bit

[MaximeMRF]

A lot of e-commerces uses cloudflare bot management to block scrapers.

I think, it can be a good solution for this problem because simple post request made by a script is blocked by cloudflare.

In addition, cloudflare may also detect if you are using a browser managed by a program like puppeteer (node.js) or selenium (python).

On the other hand, I dunno how cost this solution.

[l31-dev]

Why can't we just use cloudflare ? It might do the trick

[bdebon]

I don't know, never used it. Is it compatible with the technologies we can use with the shared hosting at Hostinger ? I precise we just have PHP / MySQL / and basic nginx. No node possible.

[Snox-dev1]

It's really too easy even without scraping @MaximeMRF

[Snox-dev1]

The best way is to get the voter's ip address and block him when he votes too much

[tdaron]

Is really captcha a good Idea ? Anyone could just extract the token from his browser and put it in any script. To be sure that can't be done, a captcha should be asked for every question but it's sooo bad for ux

[Snox-dev1]

I had an idea !

Basically on the database you have to add a timestamp of the last vote

Then at each vote look when was the last vote of the ip then if it was less than 5 minutes ago then we block.

[bdebon]

I sounds incredible! Easy to implement and good enough to prevent the biggest abuses! Does anybody has something agains this proposition?

[bdebon]

oops no it does not work. Anyone can change it's IP for a random one. Node scripts are doing that super easily, so it's not working.

[MatteoGauthier]

A solution which does not cover all cases may be the use of fingerprintjs on the front in order to prevents browser automation.

[quentint]

The only viable solution is a backend one, since the front/JS can easily be bypassed. So any JS library sounds irrelevant to me 😉

What could help is a PHP rate limiter, eg. https://symfony.com/doc/current/rate_limiter.html (or letting Cloudflare handle that, if technically possible).

[quentint]

(recaptcha entreprise / V3 / V2) https://www.google.com/recaptcha/about/

Don't break internet again, it might cost you a bit

If you're looking for a cheaper/free alternative, https://www.hcaptcha.com/ is a good solution.

[bdebon]

Hey @quentint!! So nice to have you here!! I would love to have your avatar as a contributor of this project!! If you want to be the hero that will finally close the breach of this project, you are more than welcome and I can make anything that you need to implement this feature!

[quentint]

My brain has this issue running in the background. Will post when implementation details pop!

[kmartin91]

(recaptcha entreprise / V3 / V2) https://www.google.com/recaptcha/about/ Don't break internet again, it might cost you a bit

If you're looking for a cheaper/free alternative, https://www.hcaptcha.com/ is a good solution.

you need to pay if you want to use hCaptcha without captcha

[bdebon]

@quentint I think there is no better person than you to fix that, just because choixdemerde.fr was first inspired by generationwhat and you know what duo was behind this one...

[quentint]

you need to pay if you want to use hCaptcha without captcha

Really? I think I've used it in the past without paying anything, and I can't confirm what you're saying when reading the docs 🤔

[kmartin91]

you need to pay if you want to use hCaptcha without captcha

Really? I think I've used it in the past without paying anything, and I can't confirm what you're saying when reading the docs 🤔

Need a pro account to have the "no captcha mode" according to https://www.hcaptcha.com/#plans . Maybe I'm wrong, I didn't dig that more

[quentint]

I think that means combining both solutions, at least that's what I found in the docs: https://docs.hcaptcha.com/invisible#invisible-vs-passive

Enterprise users can combine "Invisible" (no checkbox) configuration with "Passive" difficulty to avoid any user interruption.

@bdebon: Is the Cloudflare activated on Hostinger? eg. https://support.hostinger.com/en/articles/1583241-how-to-activate-and-deactivate-cloudflare

If so, there might be a way to rate limit from there. See Configure Thresholds.

[quentint]

For now https://developers.cloudflare.com/turnstile/ looks like the way to go for me.

Here are the ➕:

• Free
• Unlimited
• Works with any host/domain
• Does not rely on IP or any fingerprinting
• Has a front and back API to ensure a regular user workflow

Here is the only ➖ I found:

• Currently in Beta, so it could break/disappear

Thoughts anyone?

[EliottCestSwag]

Maybe you could had a slide bar that bot can not do. When you put to much connection on Leboncoin.com, the website will ask you to fill a little puzzle with a slidebar, maybe somebody could had that type of slidebar (without the puzzle) to switch between each images without ruining the ux ?

[tdaron]

What about a JWT gained with ReCaptcha, allowing user to answer one time to every question (and the captcha requirement could depend of the website utilisation, if no-one is playing, no need to captcha, but if at the same time there is 1000 concurrent connections, then captcha for everyone)

[EliottCestSwag]

What about a JWT gained with ReCaptcha, allowing user to answer one time to every question (and the captcha requirement could depend of the website utilisation, if no-one is playing, no need to captcha, but if at the same time there is 1000 concurrent connections, then captcha for everyone)

Yeah but If @bdebon decide to open """officially""" the website maybe the site will detect 10.000 people at the same time and block them all or ruining the ux because of the captcha :/

[tdaron]

Yeah but it's one captcha for the first connection then not anymore for every question, and in any case its possible to do difference between bot rush or people rush i guess

[EliottCestSwag]

Yeah but it's one captcha for the first connection then not anymore for every question, and in any case its possible to do difference between bot rush or people rush i guess

The bot IP and people IP are really different, if a backend could add a prevent against that that could be great what do u think ? @bdebon