Closed tormnator closed 1 month ago
c9mb
commented
1 month ago I believe that [ValidateFormsAntiForgeryToken] is applied as an attribute in the Forms controller, so will likely be evaluated first. Some spambots try to cache forms and then resubmit multiple times, changing the field values, resulting in a token mismatch error being logged before the reCAPTCHA validation blocks them - or at least that's been my experience.
tormnator
commented
1 month ago If the antiforgery checks are intended to be done before reCAPTCHA, then I assume the code works as intended. But, if that doesn't make sense, if it makes more sense that a missing reCAPTCHA field should be checked first, then maybe the code is not working as intended.
I don't have full understanding of how reCAPTCHA works, I assume that there's a client side check first, but that there also needs to be a server side check, in case someone is submitting the form from a different server without the reCAPTCHA field being present.
c9mb
commented
1 month ago CAPTCHA-v3 is validated at the server side.
AndyButland
commented
1 month ago Yes, this is how the process works. The antiforgery token is checked via a standard .NET attribute on the controller that receives the form post, so it'll run before any server-side validation, including the reCAPTCHA check.
We're currently under a limited attack on one of our Umbraco Forms forms. We have reCAPTCHA v3 enabled, and the Google reCAPTCHA dashboard confirms a large amount of high risk/low score (0.1) requests. Nevertheless, on our backend a lot of (maybe all?) requests lead to AntiforgeryValidationException being thrown.
The reCAPTCHA v3 field on the form is configured with the default threshold of 0.5, and after a while with the Mandatory option not checked we noticed this and changed that to being checked. But requests are still getting through to the Umbraco Forms ValidateFormsAntiForgeryTokenFilter which then throws the AntiforgeryValidationException exception.
So, does anyone have any insights into what is to be expected from Umbraco Forms? Is there any chance the antiforgery validation happens before the reCAPTCHA validation?