How to include Google RECAPTCHA 2 in whitelist of form inputs.

[enthused_confused]

I have a form that I decided to include Google recaptcha as an added measure of security.
When I added the recaptcha it triggers an error because the recaptcha is not whitelisted.
I read that HTML5 does not allow  assigning the name attribute  to div.  i.e.  <div name="myName"></div>.
Against convention, I tried adding a name to the recaptcha div and adding that name to the whitelist. That approach failed.
There is an iframe within the div that has the name attribute. I tried using the iframe name in the whitelist. That approach also failed.
There is a hidden input that has an id="recaptcha-token". I added 'recaptcha-token' to the whitelist. This approach also failed.
The hidden input is generated by the recaptcha api, so I don't think I have a means of assigning a name attribute to this input.
Does anyone have a workaround or suggestion ?

Note: form validation and whitelist all worked as expected prior to adding recaptcha.   

This is the div within the form.

<div class="row">
  <div class="col-md-12">
    <div class="g-recaptcha" data-sitekey="<?php print $public_key;?>"></div>
  </div>
</div>

This is the code block using the whitelist.

// VERIFY LEGITIMACY OF TOKEN
    if (verifyFormToken('form1')) {
		  
        // Building a whitelist array with keys which will send through the form, no others would be accepted later on
        $whitelist = array('token','req-fName','req-lName','req-email','req-phone','req-address','req-city','req-state','req-zip','req-message','req_method','req-dateDepart','req-dateReturn','recaptcha-token','submit');
            
        // Building an array with the $_POST-superglobal 
        foreach ($_POST as $key=>$item) {
		// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
        if (!in_array($key, $whitelist)) {
				writeLog('Unknown form fields');
				die('Hack-Attempt detected. Only the fields originally included in the form are allowed!');
            }
        } 
	}

Thanks in advance for having a look at this.

[ginerjm]

Post returns elements which were input.  You would need to include this recap field as a name in the post array, not a div tag or some other html element. 

I know nothing about this recap tool of Google's, but somehow you will need to add something to the POST array that indicates that the recap was successfully entered.

[enthused_confused]

My php ini is set as you descibed.

Presently I don't get any php errors.

I will try it without the " die();"  and see if any errors are reported.

[enthused_confused]

@ handball player
Commented out "die()" and replaced with  echo "Hack attempt detected."
No php errors reported. "Hack attempt detected." is echoed out to page.

Using json_decode on captcha response, this returns an object.

Maybe try something like this:

if(response->success ==1) {
    array_push($whitelist, "recaptcha-token");
}

Am I on the right track using this approach?

[requinix]

Ha, I remember when these "hack attempt" checks were popular. So silly now, looking back on it.

Why are you whitelisting inputs in the first place? You don't have to do that. No one can hack your codes by submitting data you aren't looking for.

[enthused_confused]

@ requinix

Quote

Why are you whitelisting inputs in the first place?

The OWASP input validation cheat sheet suggests whitelisting rather than blacklisting.

https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Whitelisting_vs_blacklisting

[requinix]

3 minutes ago, enthused_confused said:

@ requinix

The OWASP input validation cheat sheet suggests whitelisting rather than blacklisting.

https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Whitelisting_vs_blacklisting

Yes, whitelists are safer than blacklists, but you don't need either for checking the existence of form inputs.

All you "need" is to verify that the fields you need to receive were passed. You don't have to die because there was something else unexpected because you can just ignore it. Not telling attackers about how your system works counts as security too.

[enthused_confused]

@ requinix What method would you suggest I use to prevent malicious attempts to add un-wanted inputs?

 

[enthused_confused]

@ requinix Thank you for pointing out that you feel whitelisting is unnecessary .

Do you have any answer to my posted question?  How to include recaptcha in whitelist ?

Edited September 26, 2018 by enthused_confused

[requinix]

20 minutes ago, enthused_confused said:

@ requinix What method would you suggest I use to prevent malicious attempts to add un-wanted inputs?

Ignore them. It doesn't matter if they add anything because you're not using it.

3 minutes ago, enthused_confused said:

Do you have any answer to my posted question?  How to include recaptcha in whitelist ?

Go back to what ginerjm said a few hours ago. You have to identify what information is being submitted through the form for you to be able to whitelist it.

[ginerjm]

To answer your question about the captcha value - Why do you need the value?  You just need to know if google accepted it - true or false.  I would create a hidden input element in the form and then have your js code that accepts the recaptcha result and when true put a value into that hidden field.  That would add an element to your POST array that you can check.

[requinix]

13 hours ago, ginerjm said:

To answer your question about the captcha value - Why do you need the value?  You just need to know if google accepted it - true or false.  I would create a hidden input element in the form and then have your js code that accepts the recaptcha result and when true put a value into that hidden field.  That would add an element to your POST array that you can check.

Ah, but how do you know it was accepted? They can't just put in the form "yeah, sure, the user is human". Wouldn't be very effective. They have to send some value that then gets verified by the server.

[enthused_confused]

I have an answer. This came from phpbuilder.com.

Turns out I needed to add "g-recaptcha-response" to the whitelist.

Thanks for your attention and suggestions to this problem.