search

waldhacker / ext-hcaptcha

GNU General Public License v3.0
3 stars 6 forks source link

Captcha can be skipped when parts of the request are being removed #1

Closed dachande closed 2 years ago

dachande commented 3 years ago

We have had a penetration test on one of our customers websites which also uses the hcaptcha extension and it looks like it's possible to submit a form without validation of the Captcha when the request is manipulated in a specific way removing the POST parameters that relate to the captcha.

This is part of the request when the contact form us being submitted using the TYPO3 form framework with the hcaptcha parameters visible

POST
/de/kontakt?tx_form_formframework%5Baction%5D=perform&tx_form_formframework%5Bco
ntroller%5D=FormFrontend&cHash=8074c64658348d475c09c8c6918d0b6f HTTP/1.1
Host: www.myhost.com
[...]
-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][suggestions]"

Please ignore this message. It is part of a Penetration Test.
-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][privacy]"

-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][privacy]"

1
-----------------------------333760515616168798754029843249
Content-Disposition: form-data; name="g-recaptcha-response"
-----------------------------333760515616168798754029843249
Content-Disposition: form-data; name="h-captcha-response"
-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][hcaptcha-1]"

1
-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][__currentPage]"

1
-----------------------------333760515616168798754029843249--

If these parameters are just removed from the request like in the following example, the request succeeds anyway and a confirmation mail will be created as configured in the form.

POST
/de/kontakt?tx_form_formframework%5Baction%5D=perform&tx_form_formframework%5Bco
ntroller%5D=FormFrontend&cHash=8074c64658348d475c09c8c6918d0b6f HTTP/1.1
Host: www.myhost.com
[...]
-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][suggestions]"

Please ignore this message. It is part of a Penetration Test.
-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][privacy]"

-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][privacy]"

1
-----------------------------333760515616168798754029843249

Content-Disposition: form-data; name="tx_form_formframework[contactform-
181][__currentPage]"

1
-----------------------------333760515616168798754029843249--

I'm not exactly sure if this is an issue regarding the TYPO3 form framework in general or the hcaptcha extension. But as the problem occurs when using the hcaptcha extension, I am placing the issue here.

waldhacker1 commented 3 years ago

I can't reproduce that at the moment. Which TYPO3 version and which hcaptcha version are you using?

dachande commented 3 years ago

We are using TYPO3 10.4.17 and hcaptcha extension v1.0.0. I have just seen that the extension has been recently updated to v2.0.0. I'll try that update and come back to you if the problem can still be reproduced after the update.

waldhacker1 commented 2 years ago

I have implemented functional tests in version 2.0.1 which test the described scenarios. The hcaptcha validation fails if the request parameters are missing. I am therefore closing the ticket. If the problem occurs again, please create a new ticket.