Jump to content

How to include Google RECAPTCHA 2 in whitelist of form inputs.


enthused_confused

Recommended Posts

I have a form that I decided to include Google recaptcha as an added measure of security.
When I added the recaptcha it triggers an error because the recaptcha is not whitelisted.
I read that HTML5 does not allow  assigning the name attribute  to div.  i.e.  <div name="myName"></div>.
Against convention, I tried adding a name to the recaptcha div and adding that name to the whitelist. That approach failed.
There is an iframe within the div that has the name attribute. I tried using the iframe name in the whitelist. That approach also failed.
There is a hidden input that has an id="recaptcha-token". I added 'recaptcha-token' to the whitelist. This approach also failed.
The hidden input is generated by the recaptcha api, so I don't think I have a means of assigning a name attribute to this input.
Does anyone have a workaround or suggestion ?

Note: form validation and whitelist all worked as expected prior to adding recaptcha.   

This is the div within the form.

<div class="row">
  <div class="col-md-12">
    <div class="g-recaptcha" data-sitekey="<?php print $public_key;?>"></div>
  </div>
</div>

This is the code block using the whitelist.

// VERIFY LEGITIMACY OF TOKEN
    if (verifyFormToken('form1')) {
		  
        // Building a whitelist array with keys which will send through the form, no others would be accepted later on
        $whitelist = array('token','req-fName','req-lName','req-email','req-phone','req-address','req-city','req-state','req-zip','req-message','req_method','req-dateDepart','req-dateReturn','recaptcha-token','submit');
            
        // Building an array with the $_POST-superglobal 
        foreach ($_POST as $key=>$item) {
		// Check if the value $key (fieldname from $_POST) can be found in the whitelisting array, if not, die with a short message to the hacker
        if (!in_array($key, $whitelist)) {
				writeLog('Unknown form fields');
				die('Hack-Attempt detected. Only the fields originally included in the form are allowed!');
            }
        } 
	}

Thanks in advance for having a look at this.

Link to comment
Share on other sites

Post returns elements which were input.  You would need to include this recap field as a name in the post array, not a div tag or some other html element. 

I know nothing about this recap tool of Google's, but somehow you will need to add something to the POST array that indicates that the recap was successfully entered.

Link to comment
Share on other sites

@ handball player
Commented out "die()" and replaced with  echo "Hack attempt detected."
No php errors reported. "Hack attempt detected." is echoed out to page.

Using json_decode on captcha response, this returns an object.

Maybe try something like this:

if(response->success ==1) {
    array_push($whitelist, "recaptcha-token");
}

Am I on the right track using this approach?

Link to comment
Share on other sites

3 minutes ago, enthused_confused said:

@ requinix

The OWASP input validation cheat sheet suggests whitelisting rather than blacklisting.

https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Whitelisting_vs_blacklisting

Yes, whitelists are safer than blacklists, but you don't need either for checking the existence of form inputs.

All you "need" is to verify that the fields you need to receive were passed. You don't have to die because there was something else unexpected because you can just ignore it. Not telling attackers about how your system works counts as security too.

Link to comment
Share on other sites

20 minutes ago, enthused_confused said:

@ requinix What method would you suggest I use to prevent malicious attempts to add un-wanted inputs?

Ignore them. It doesn't matter if they add anything because you're not using it.

3 minutes ago, enthused_confused said:

Do you have any answer to my posted question?  How to include recaptcha in whitelist ?

Go back to what ginerjm said a few hours ago. You have to identify what information is being submitted through the form for you to be able to whitelist it.

Link to comment
Share on other sites

To answer your question about the captcha value - Why do you need the value?  You just need to know if google accepted it - true or false.  I would create a hidden input element in the form and then have your js code that accepts the recaptcha result and when true put a value into that hidden field.  That would add an element to your POST array that you can check.

Link to comment
Share on other sites

13 hours ago, ginerjm said:

To answer your question about the captcha value - Why do you need the value?  You just need to know if google accepted it - true or false.  I would create a hidden input element in the form and then have your js code that accepts the recaptcha result and when true put a value into that hidden field.  That would add an element to your POST array that you can check.

Ah, but how do you know it was accepted? They can't just put in the form "yeah, sure, the user is human". Wouldn't be very effective. They have to send some value that then gets verified by the server.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.