iMi-digital / magento2-friendly-captcha

Magento 2 Module to add the Friendly Captcha service to certain forms.
Other
16 stars 13 forks source link

False positive in Magento security scanner #3

Closed amenk closed 1 year ago

amenk commented 2 years ago

If Adobe's Magento security scanner is used, it would tell us we don't use a captcha, because ReCaptcha is off, despite using FriendlyCaptcha:

image

How can we work around this false positive?

amenk commented 2 years ago

Security scan source IPs: https://community.magento.com/t5/Can-Magento-do/Security-Scan-Tool-source-ips/m-p/405381/highlight/true#M4379 (because it does not use a proper user agent) They check

52.87.98.44 - - [26/Sep/2022:08:29:08 +0200] "GET /customer/account/create/ HTTP/1.0" 200 9417 "www.example.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"

But we don't know what the check for.

amenk commented 1 year ago

Tweet: https://twitter.com/s3lf/status/1611298051980656640

amenk commented 1 year ago

Info from Magento / Adobe:

The extension will be added as standard reCAPTCHA replacement globally, for all stores.

amenk commented 1 year ago

The security scan no longer triggers, https://github.com/iMi-digital/magento2-friendly-captcha/commit/c160ff671b16533c0183f330be836d21f4e5f8ec