Bypassed reCaptcha (a lot)

loranger commented 2 years ago

Hello,

I have a very simple contact form with an reCpatcha v3. As you can see it seems to work properly (and it was).

Since few days, I got a lot of spam coming from this form : I get one or two (russian) emails every 2 or 4 minutes (that's the interval I could identify)

And now, I got this sending google account disabled for security reasons. I try to digg a little deeper, but I can't figure out how they can bypass recaptcha.

In my server log files, I can see a GET query followed by a POST on, but I can't see what is exactly posted

log sample

``` 138.199.7.131 - - [13/Jan/2022:15:55:08 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:15:55:08 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.131 - - [13/Jan/2022:15:55:08 +0100] "POST /contact HTTP/1.0" 500 2585 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:15:55:09 +0100] "POST /contact HTTP/1.0" 500 2594 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.134 - - [13/Jan/2022:15:56:07 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49" "-" 138.199.7.134 - - [13/Jan/2022:15:56:08 +0100] "POST /contact HTTP/1.0" 500 2594 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49" "-" 185.107.95.212 - - [13/Jan/2022:15:56:22 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "-" 185.107.95.212 - - [13/Jan/2022:15:56:22 +0100] "POST /contact HTTP/1.0" 200 11562 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "-" 82.64.106.241 - - [13/Jan/2022:15:57:10 +0100] "POST /contact HTTP/2.0" 200 10852 "catcel-avocat.fr/contact" "insomnia/2021.7.2" "-" 138.199.7.131 - - [13/Jan/2022:15:59:17 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 138.199.7.131 - - [13/Jan/2022:15:59:18 +0100] "POST /contact HTTP/1.0" 500 2591 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 185.191.171.17 - - [13/Jan/2022:15:59:18 +0100] "GET /contact/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/images/preview/send.php HTTP/1.1" 404 153 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)" "-" 138.199.7.136 - - [13/Jan/2022:15:59:21 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:15:59:22 +0100] "POST /contact HTTP/1.0" 500 2585 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.134 - - [13/Jan/2022:16:02:42 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4400.8 Safari/537.36" "-" 138.199.7.134 - - [13/Jan/2022:16:02:43 +0100] "POST /contact HTTP/1.0" 500 2591 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4400.8 Safari/537.36" "-" 185.107.95.212 - - [13/Jan/2022:16:03:16 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 185.107.95.212 - - [13/Jan/2022:16:03:17 +0100] "POST /contact HTTP/1.0" 200 11507 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.131 - - [13/Jan/2022:16:03:29 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49" "-" 138.199.7.131 - - [13/Jan/2022:16:03:29 +0100] "POST /contact HTTP/1.0" 500 2591 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49" "-" 138.199.7.136 - - [13/Jan/2022:16:03:37 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:16:03:38 +0100] "POST /contact HTTP/1.0" 500 2591 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 138.199.7.131 - - [13/Jan/2022:16:07:45 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.131 - - [13/Jan/2022:16:07:46 +0100] "POST /contact HTTP/1.0" 500 2594 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:16:07:56 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:16:07:56 +0100] "POST /contact HTTP/1.0" 500 2591 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.1; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 138.199.7.134 - - [13/Jan/2022:16:09:25 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.134 - - [13/Jan/2022:16:09:25 +0100] "POST /contact HTTP/1.0" 500 2588 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 185.107.95.212 - - [13/Jan/2022:16:10:24 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 185.107.95.212 - - [13/Jan/2022:16:10:25 +0100] "POST /contact HTTP/1.0" 200 11553 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-" 138.199.7.131 - - [13/Jan/2022:16:11:56 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 138.199.7.131 - - [13/Jan/2022:16:11:57 +0100] "POST /contact HTTP/1.0" 500 2223 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:16:12:07 +0100] "GET /contact HTTP/1.0" 200 10852 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.86 Safari/537.36" "-" 138.199.7.136 - - [13/Jan/2022:16:12:08 +0100] "POST /contact HTTP/1.0" 500 2222 "https://catcel-avocat.fr/contact" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.86 Safari/537.36" "-" ```

Here is the frontmatter header page

contact page

```yaml title: 'Formulaire de contact' menu: Contact process: markdown: true twig: false form: name: contact-form fields: - name: name label: Nom placeholder: 'Votre nom' autofocus: 'off' autocomplete: 'on' type: text validate: required: true - name: email label: Email placeholder: 'Votre adresse email' type: text validate: rule: email required: true - name: message label: Message size: long placeholder: 'Saisissez votre message' type: textarea validate: required: true - name: g-recaptcha-response label: Captcha type: captcha recaptcha_not_validated: 'Captcha non valide !' buttons: - type: submit value: Envoyer process: - email: from: '{{ config.plugins.email.from }}' to: '{{ config.plugins.email.to }}' reply_to: '{{ form.value.email }}' subject: '[Message] {{ form.value.name|e }}' body: '{% include ''forms/data.html.twig'' %}' - save: fileprefix: feedback- dateformat: Ymd-His-u extension: txt body: '{% include ''forms/data.txt.twig'' %}' - captcha: true - message: 'Message envoyé !' - display: thankyou ```

And here are my settings file:

email.yaml

```yaml enabled: true from: from_name: 'Conciergerie web' to: to_name: null queue: enabled: false flush_frequency: '* * * * *' flush_msg_limit: 10 flush_time_limit: 100 mailer: engine: smtp smtp: server: smtp.gmail.com port: 587 encryption: tls user: password: auth_mode: null sendmail: bin: '/usr/sbin/sendmail -bs' content_type: text/html debug: false charset: null cc: null cc_name: null bcc: null reply_to: null reply_to_name: null body: null ```

form.yaml

```yaml enabled: true built_in_css: true inline_css: true refresh_prevention: false client_side_validation: true inline_errors: false files: multiple: false limit: 10 destination: self@ avoid_overwriting: false random_name: false filesize: 0 accept: - 'image/*' recaptcha: version: '3' theme: light site_key: 6LdO1vwUAAAAAOvobpzY3CNQ4Fw_qrjzFTadse8_ secret_key: ```

Could you please help me to stop this flood and get my email usage back to normal ?

robhuijben commented 2 years ago

I'm experiencing exactly the same with reCaptcha v3, so I downgraded it to reCaptcha v2 checkbox which works for now. Maybe that's a little workaround for the time being until there is a solution for this issue @loranger.

loranger commented 2 years ago

Thanks for the workaround @robhuijben !

I did downgrade too, but I still recieve spams… How can it be !?

robhuijben commented 2 years ago

I see! It seems that the server side validation does not work properly. Unfortunately I'm not able to discover what is wrong, but maybe @w00fz is? For now I suggest using the honeypot field to prevent bots from spamming your form. Just follow the docs at https://learn.getgrav.org/17/forms/forms/fields-available#honeypot-field.

And for background info I suggest reading this thread on Stackoverflow.

loranger commented 2 years ago

Thanks @robhuijben I've added a honeypot, but I also created a brand new contact page and updated my form plugin from 5.1.4 to 5.1.5

I don't know what exactly fixed the issue, but my inbox is now spam free, and you cannot really imagine how relieved I am

new contact page

```yaml title: 'Formulaire de contact' menu: Contact form: name: contact fields: name: label: Nom placeholder: 'Votre nom' autocomplete: 'on' type: text validate: required: true email: label: Email placeholder: 'Votre adresse email' type: email validate: required: true message: label: Message placeholder: 'Saisissez votre message' type: textarea rows: 10 validate: required: true honeypot: type: honeypot g-recaptcha-response: label: Captcha type: captcha recaptcha_not_validated: 'Captcha non valide !' buttons: submit: type: submit value: Envoyer reset: type: reset value: Effacer process: captcha: true save: fileprefix: feedback- dateformat: Ymd-His-u extension: txt body: '{% include ''forms/data.txt.twig'' %}' email: from: '{{ config.plugins.email.from }}' to: '{{ config.plugins.email.to }}' reply_to: '{{ form.value.email }}' subject: '[Message] {{ form.value.name|e }}' body: '{% include ''forms/data.html.twig'' %}' message: 'Message correctement envoyé' display: thankyou ```

getgrav / grav-plugin-form

Bypassed reCaptcha (a lot) #548