CODEWITHSUNDEEP
phpformsrecaptcha
DanDcru
DanDcru

Reputation: 115

How to pass POST data to external site after recaptcha authentication?

I have a form where the action is a script on another website and I need to filter out spam. I have set up recaptcha v2 and changed my form action to point to a local php file which is successfully receiving the response from recaptcha as 'success' or 'fail'. On a 'fail' I use a php header to send the visitor back to the page they came from, but on a 'success' I can't figure out the next step. What is the best way to take my POST data and submit it to the external website's capture.php script?

Upvotes: 2

Views: 3284

Answers (2)

Exadra37
Exadra37

Reputation: 13104

How I understand your real problem

I have a form where the action is a script on another website and I need to filter out spam.

Based on this I assumed my entire response that your real problem is to not allow bots, automated scripts to submit your form, thus my reply does not show how you can submit the POST data to another website, but instead shows you the options to tackle what seems to be your real issue.

The form action redirection doesn't solve the issue

changed my form action to point to a local php file which is successfully receiving the response from recaptcha as 'success' or 'fail'. On a 'fail' I use a php header to send the visitor back to the page they came from, but on a 'success' I can't figure out the next step.

This approach can be easily faked by any attacker. they can just hit F12 in the browser to see how you make the request to this php script that you use to validate the reCaptcha v2 and then automate the process, thus bypassing easily your protection.

So the approach you are taking to tackle the problem of only allow a human to submit a form will not work.

Recommended to use reCaptcha V3

I have set up recaptcha v2

I would recommend to use Google reCaptcha V3 that will run in the background without needing any user interaction and will return a score from 0 to 1, where towards 1 it means that is an human using the page, otherwise is an automated tool.

Google quote:

We are excited to introduce reCAPTCHA v3, which helps you detect abusive traffic on your website without any user friction. It returns a score based on the interactions with your website and provides you more flexibility to take appropriate actions.

Important

Include reCaptcha V3 in all pages of your website so that Google can learn about the user and its behaviours in order to give you a more confident score about if its a human or a bot. Remember that once it does not prompt the user for interaction it does not affect the user experience in any page of your site.

Validate always the reCaptcha V3 score in the back-end, in order to know if is a human or a bot doing it and block accordingly. You may even want to add this check into other back-end endpoints that may have sensitive data that you don't want to be scraped.

Example response from Google API for a server side reCaptcha V3 validation, as per Google docs:

{
  "success": true|false,      // whether this request was a valid reCAPTCHA token for your site
  "score": number             // the score for this request (0.0 - 1.0)
  "action": string            // the action name for this request (important to verify)
  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

Further Protection

Cross-Site Request Forgery more known as CSRF

If you are using a framework it should have already built-in protection for this, just read their documents on forms. Otherwise read the OWASP CSRF description on the attack and the OWASP CSRF Prevention Cheat Sheet to learn how to defend against it.

OWASP quote:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Cross Site Scripting also known as XSS

For a description of the attack read the OWASP XSS attack description and then head over to the OWASP Prevention Chaeta Sheat to see how to defend against it. Once more if you use a framework it should already have tooling in place to help you preventing XSS attacks.

OWASP quote:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Continue to use reCaptcha V2

So if you want to continue to use reCaptcha V2, just let it work as usual:

  • blocking the user to click the form submit button until it passes all the Google challenges.
  • pointing the form to the original php script that handles the form submission and have it checking the reCaptcha V2 in server side.

Example verification response from Google API, as per Google docs:

{
  "success": true|false,
  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

Please bear in mind that reCaptcha V2 can be bypassed, just search Google for recaptcha v2 bypass to see how many services exist for this, that will allow attackers to continue hitting the script in an automated way.

Upvotes: 0

nerdlyist
nerdlyist

Reputation: 2857

You do not give us a lot to go on but since it is 2019 I will assume that you want to talk to another sites via an API. At the very least you want to call a specific script that you know if there and can receive calls from you (and is hopefully a bit secure).

You have to make a request to that site "just like" a browser would. Most servers come with CURL to make a request. PHP has a function called curl_exec() check that out here

If you are going to be heavily relying on making calls to other resources outside of your site it would be smarter to let someone else do the heavy lifting for you and pull in a third-party vendor library. One I have use but am not endorsing as solidly vetted is GuzzleHTTP doc. They basically wrap curl for you and give you a standard request response structure.

Upvotes: 2

Related Questions