Develop Reference

Validating g-captcha-response parameter

I have this form where there is an implemented Google Captcha. I don't understand why I can submit multiple POST request using the same g-recaptcha-response and without it. Is it intended to work that way?
POST /dev-test/form.php HTTP/1.1
Host:.com
Content-Length: 606
Cache-Control: max-age=0
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://sample.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://sample.com/dev-test/form.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
client_id=077&first_name=captcha-bypass-2nd-attempt&last_name=bypass-captcha-2nd-attempt&consent=true&g-recaptcha-response=

You can send as many request as you want to Google... The same way you can send unlimited mail parcel to an address, there's no mechanism to stop you from sending HTTP request to an address.
Once google receives your request, their servers will process your request and give it a score. It's your responsibility as a developer to go and get that score from google to check if a legitimate user is trying to access the site.
You will need to do that verification on the server side code of your application.
You can learn more on how google wants you to check the score at: https://developers.google.com/recaptcha/docs/verify

Laravel api passport Unauthorized 401

I have created a multi auth system for Laravel and I can log in and protecting the routes (with web and admin) defined in web.php is working fine. Now I also want to do the same for the api calls in api.php. For this purpose, I have installed Passport, changed my auth.php file to passport for api, attached the token in Kernel.php and in my axios request I attach xsrf and XMLHttpRequest. But when I execute my api call I get all the time 401 Unauthorized. I have taken a look in my headers and see a laravel_token and X-XSRF-TOKEN, so I am puzzled why it is not working.. Does anybody have any idea? Thanks!
Header looks like:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: undefined
Connection: keep-alive
Cookie: XSRF-TOKEN=eyJpdiI....
DNT: 1
Host: 127.0.0.1:8000
Referer: http://127.0.0.1:8000/availability/calendar
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Mobile Safari/537.36
X-CSRF-TOKEN: 4SUDy8IJigeEBftGjTVgat7cqPSGnncA0zuSiEeI
X-Requested-With: XMLHttpRequest
X-XSRF-TOKEN: dsfjkdsfsdj.....
In my api.php:
Route::post('/userStuff', 'MyController#userstuff')
->middleware('auth:api');
And my axios request:
axios.get("/api/userStuff").then(({data}) => {
console.log(data);
});

Web API call giving "InvalidAuthorizationHeader"

I am trying to connect to an OData API using Advanced REST Client.
The Login is successful and I receive a SecurityToken which I use in the following GET request:
accept: application/json
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.8
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
Content-Type: application/json
authorization: Basic <security-token>
Even though I am using the security token I received from the Login, I am receiving a message that says "The HTTP authorization header is not formatted correctly." and I also receive an "Authorization required" prompt in Advanced REST Client (ARC).
Can anyone tell me what is wrong with the Authorization header or how I can format it correctly?

Something wrong with your token.
please show your login result.
In addition, My be It is because of authorization type that you use 'basic'.
Use 'Bearer' with authorization token:
authorization: Bearer ....

Google Cast Widevine PSSH

I'm using official custom receiver from Github and I'm trying to play MPEG-DASH Widevine protected video stream. Receiver is running on Nexus Player 5.1.1. I'm correctly setting customData and licence server url. The problem is that player (DRM component) is not correctly generating needed data for POST request to the licence server. This data should be generated with data from PSSH box and include information about DRM client and more. Below is the almost empty POST request (omitted some CORS specific headers) with request body containing only two bytes (08 04)
POST XYZ HTTP/1.1
Host: XYZ
Connection: keep-alive
Content-Length: 2
Origin: ABC
User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; Nexus Player Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.75 Safari/537.36 CrKey/1.13.31432
content-type: text/xml;charset=utf-8
Accept: */*
Referer: http://ABC/ftp-custom/CastMediaPlayerStreamingDRM/mpl.html
Accept-Encoding: gzip, deflate
Accept-Language: en-GB
CAST-DEVICE-CAPABILITIES: {"display_supported":true}
..
The correct request body (on Windows / Chrome) should look like this (ommited "non-human readable" content within request body)
POST XYZ HTTP/1.1
Host: XYZ
Connection: keep-alive
Content-Length: 1763
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36
Origin: http://shaka-player-demo.appspot.com
Accept: */*
Referer: http://shaka-player-demo.appspot.com/
Accept-Encoding: gzip, deflate
Accept-Language: cs,en;q=0.8
ChromeCDM-Windows-x86
architecture_name x86-32
company_name Google
model_name ChromeCDM
platform_name Windows2
Thank you for any how to make this working correctly.

how should I re-create a POST first seen in Fiddler in Ruby?

This seemed pretty straightforward:
capture a POST in Fiddler (Windows, because I find it easier to use than WireShark)
get data posted
make a similar POST using Net::Http in Ruby
And yet. Every time I run the post, it gets a 500. Could really use a suggestion here.
Original POST (Raw):
POST http://www.example.com/products/ajax HTTP/1.1
Host: www.example.com
Connection: keep-alive
Content-Length: 154
Origin: http://www.example.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.example.com/products
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
q=getProducts&page=52&type=leaf_blowers
But when I get this in the Rails console:
>> res = http.post_form URI.parse(the_url), {'a' => 'getProducts', 'page'=> '52', 'type'=> 'leaf_blowers'}
=> #<Net::HTTPInternalServerError 500 Internal Server Error readbody=true>
The first one (Fiddler) results in HTML being returned. The second is just a 500 error. Is there anything obvious that I'm missing here? If you'd like to see the Wireshark capture, let me know how I can get it to look like the Fiddler raw capture -- I can't figure out how to get that detail out of Wireshark.

Maybe it's a typo when you posted the question, but the original post has
q=getProducts
and then you make the request with:
'a' => 'getProducts'
What happens if you make the request with 'q' => 'getProducts' ?