Validating g-captcha-response parameter - recaptcha

I have this form where there is an implemented Google Captcha. I don't understand why I can submit multiple POST request using the same g-recaptcha-response and without it. Is it intended to work that way?
POST /dev-test/form.php HTTP/1.1
Host:.com
Content-Length: 606
Cache-Control: max-age=0
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://sample.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://sample.com/dev-test/form.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
client_id=077&first_name=captcha-bypass-2nd-attempt&last_name=bypass-captcha-2nd-attempt&consent=true&g-recaptcha-response=

You can send as many request as you want to Google... The same way you can send unlimited mail parcel to an address, there's no mechanism to stop you from sending HTTP request to an address.
Once google receives your request, their servers will process your request and give it a score. It's your responsibility as a developer to go and get that score from google to check if a legitimate user is trying to access the site.
You will need to do that verification on the server side code of your application.
You can learn more on how google wants you to check the score at: https://developers.google.com/recaptcha/docs/verify

Related

How to parse formData request in laravel

I have fetch api call from Vue js code which sends form-data to laravel backend
I am posting request. Please suggest how to parse this using laravel request?
POST /acapp/public/api/createmember HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,mr-IN;q=0.8,mr;q=0.7,ur-PK;q=0.6,ur;q=0.5,hi-IN;q=0.4,hi;q=0.3
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 142
Content-Type: application/json
Host: localhost
Mimetype: multipart/form-data
Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
Postman-Token: cd1ca586-560b-fdf7-3fd6-afe2f457d676
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
------WebKitFormBoundaryoMWbAbNZyySY3vCB
Content-Disposition: form-data; name="dob"
45345345
------WebKitFormBoundaryoMWbAbNZyySY3vCB--
You don't need to parse the request. The HTTP-Request Stack of Laravel will do it automatically and call your action you defined for that url.
https://laravel.com/docs/5.7/requests
Here is a good example how to get informations from your request. So you don't have to think about that. In the documentation you can find a part how to write VUE components.
https://laravel.com/docs/5.7/frontend
i think that could help you.

Web API call giving "InvalidAuthorizationHeader"

I am trying to connect to an OData API using Advanced REST Client.
The Login is successful and I receive a SecurityToken which I use in the following GET request:
accept: application/json
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.8
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
Content-Type: application/json
authorization: Basic <security-token>
Even though I am using the security token I received from the Login, I am receiving a message that says "The HTTP authorization header is not formatted correctly." and I also receive an "Authorization required" prompt in Advanced REST Client (ARC).
Can anyone tell me what is wrong with the Authorization header or how I can format it correctly?
Something wrong with your token.
please show your login result.
In addition, My be It is because of authorization type that you use 'basic'.
Use 'Bearer' with authorization token:
authorization: Bearer ....

Google Cast Widevine PSSH

I'm using official custom receiver from Github and I'm trying to play MPEG-DASH Widevine protected video stream. Receiver is running on Nexus Player 5.1.1. I'm correctly setting customData and licence server url. The problem is that player (DRM component) is not correctly generating needed data for POST request to the licence server. This data should be generated with data from PSSH box and include information about DRM client and more. Below is the almost empty POST request (omitted some CORS specific headers) with request body containing only two bytes (08 04)
POST XYZ HTTP/1.1
Host: XYZ
Connection: keep-alive
Content-Length: 2
Origin: ABC
User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Nexus Player Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.75 Safari/537.36 CrKey/1.13.31432
content-type: text/xml;charset=utf-8
Accept: */*
Referer: http://ABC/ftp-custom/CastMediaPlayerStreamingDRM/mpl.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB
CAST-DEVICE-CAPABILITIES: {"display_supported":true}
..
The correct request body (on Windows / Chrome) should look like this (ommited "non-human readable" content within request body)
POST XYZ HTTP/1.1
Host: XYZ
Connection: keep-alive
Content-Length: 1763
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Origin: http://shaka-player-demo.appspot.com
Accept: */*
Referer: http://shaka-player-demo.appspot.com/
Accept-Encoding: gzip, deflate
Accept-Language: cs,en;q=0.8
ChromeCDM-Windows-x86
architecture_name x86-32
company_name Google
model_name ChromeCDM
platform_name Windows2
Thank you for any how to make this working correctly.

Self hosted Wep Api on my Respbarry Pi leads to HTTP 400 Bad Request

I've created a self hosted Web API (Web API 2.2 + Owin). The service is quite simple and only returns the list of GPIO pin values.
On my Pi itself, it works perfectly. I can call the service without problems. Only when I try to call it from my PC a HTTP 400 is returned:
Request:
GET http://192.168.178.105/RobotApi/GetGpioPinValues HTTP/1.1
Host: 192.168.178.105
Connection: keep-alive
Accept: application/json, text/plain, */*
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Referer: http://localhost/piRobot.WebSite/index.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,de-DE;q=0.6,de;q=0.4
Response:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=utf-8
Server: Mono-HTTPAPI/1.0
Date: Fri, 02 Jan 2015 16:19:24 GMT
Content-Length: 35
Connection: close
<h1>Bad Request (Invalid host)</h1>
I hope someone out there can help me. Any suggestions?
Thanks a lot,
Dante
Ok. Got it:-)
It was no problem with raspberry or mono or Web Api itself. The self hosted service was initialized with the base URL http://localhost. The strange thing is, the service is only available via localhost, but not via the according IP address!!!
So what I've done now is, I substituted localhost with the IP address of my Pi and it works perfectly. Now the service is only accessible via the IP?!
I still have no clue why it makes a difference, but obviously it does.

how should I re-create a POST first seen in Fiddler in Ruby?

This seemed pretty straightforward:
capture a POST in Fiddler (Windows, because I find it easier to use than WireShark)
get data posted
make a similar POST using Net::Http in Ruby
And yet. Every time I run the post, it gets a 500. Could really use a suggestion here.
Original POST (Raw):
POST http://www.example.com/products/ajax HTTP/1.1
Host: www.example.com
Connection: keep-alive
Content-Length: 154
Origin: http://www.example.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.example.com/products
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
q=getProducts&page=52&type=leaf_blowers
But when I get this in the Rails console:
>> res = http.post_form URI.parse(the_url), {'a' => 'getProducts', 'page'=> '52', 'type'=> 'leaf_blowers'}
=> #<Net::HTTPInternalServerError 500 Internal Server Error readbody=true>
The first one (Fiddler) results in HTML being returned. The second is just a 500 error. Is there anything obvious that I'm missing here? If you'd like to see the Wireshark capture, let me know how I can get it to look like the Fiddler raw capture -- I can't figure out how to get that detail out of Wireshark.
Maybe it's a typo when you posted the question, but the original post has
q=getProducts
and then you make the request with:
'a' => 'getProducts'
What happens if you make the request with 'q' => 'getProducts' ?

Resources