search

huseyinsimsekk / AspNetCore-ReCAPTCHAv3

reCAPTCHA v3 Usage in Asp.Net Core MVC
20 stars 2 forks source link

serious logical mistake #2

Open dengere opened 3 years ago

dengere commented 3 years ago

Posting to the server after testing from the client is a serious error. In this case; The server's post method can be called by unwanted requests. It should be verify every post method body...

        grecaptcha.execute('@siteKey', { action: 'homepage' }).then(function (token) {
            $.getJSON("/Home/Verify?token=" + token,
                function (data) {
                    if (data) {

//it seems ok but request could be passed unwanted requests. $('form').unbind('submit').submit();
} else { document.location="@Url.Action("Error", "Home")"; } }); });

huseyinsimsekk commented 3 years ago

Hi, thanks for sharing this issue. I didn't understand exactly. Do you mean recaptcha verify control will be after form submit? Or Do you mean this way, when submitting form, user can send not correct data? I used google documentation. I checked again and I updated code but I think this is not about your issue. Can you give me detail or send PR? Thanks again.

dengere commented 3 years ago
  1. Fetch token from Google before submitting.
  2. Submit your form with token. (You don't need to change your input model, http context will carry token to your controller)
  3. Verify token with your "secret" with any http client on your server side. Filter could be better for MVC controllers.

Why? We use recapthca for unwanted client not only users.

16 Mar 2021 Sal 20:12 tarihinde Huseyin Simsek @.***> şunu yazdı:

Hi, thanks for sharing this issue. I didn't understand exactly. Do you mean recaptcha verify control will be after form submit? Or Do you mean this way, when submitting form, user can send not correct data? I used google documentation. I checked again and I updated code but I think this is not about your issue. Can you give me detail or send PR? Thanks again.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/huseyinsimsekk/AspNetCore-ReCAPTCHAv3/issues/2#issuecomment-800449535, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMBD4NIPV4YDPIVWAXEEEDTD6GPNANCNFSM4ZGZ23KA .

huseyinsimsekk commented 3 years ago

Thanks again. I see. I will try to apply this as soon as possible

batu-han3428 commented 3 years ago

indirdim. kendi keylerimi appsettingse yerleştirdim. ama çalışıyor mu çalışmıyor mu anlamadım. başka herhangi bir ayar yapmama gerek var mı?

huseyinsimsekk commented 3 years ago

@batu-han3428 merhaba. appsettings e kendi değerlerini girmen yeterli oluyor. Google API değeri hesaplıyor (0-1 arasında bir değer olarak). Belirtmiş olduğun eşik değerine göre formu submit etmesini ya da submit işlemini durdurmasına karar verebilirsin. Ayrıca canlıda kullanacaksan Google Recaptcha servisinden canlı sisteme gelen isteklerin istatistiklerini zamanla görebiliyorsun. Örneğin 0.9 değerine sahip 100 istek geldi gibi.

Aman-Ansari-03 commented 5 months ago

There is the mistake in the appsettings.json file there is comma in the RecaptchaThreshold value i think that should be the "."