0

I understand many users have already asked similar questions, but my question is a bit different, and please don't shoot me!

I have a form and it is protected with CAPTCHA. but I realise I still receive spam. I suspect the spammer somehow does not even engage my captcha and just submit the form somehow without using my captcha protection.

I was wondering how that would be possible. can someone submit my form and the inquiry even by not engaging my captcha code at all?

I am using this code:

////:submit data using javascript: ////
$(function () {
  $('.CaptchaSubmit').click(function () {
    if (CheckCaptcha() != true) {
      return false;
    } else {
      //put your submit Button Code...
    }
  });
});
crimsonpython24
  • 2,223
  • 2
  • 11
  • 27
Reza B.
  • 1
  • You should be able to use this code: https://stackoverflow.com/questions/133925/javascript-post-request-like-a-form-submit?rq=1 – Daniel Jul 31 '20 at 21:45
  • Do you have any verification on the server-side? If not, then nothing is stopping someone from simply bypassing those checks. – Ivar Jul 31 '20 at 21:49
  • @Ivar thank you for your comment. you mean we need to have PHP code as well? at the moment we only have javascript code. – Reza B. Aug 01 '20 at 01:03
  • the captcha answer will be validated on the server-side (captcha server not our server) and if the answer is correct then the token will be sent to our front end to grant the access! – Reza B. Aug 01 '20 at 01:18
  • @Ivar can you show me example of how would that be possible to bypass this verification?! many thanks – Reza B. Aug 01 '20 at 01:34
  • @RezaB. There are many ways. You need to realize that JavaScript is executed on the browser of the visitor. The code runs on their machine and therefore they have full control over it. You can never blindly trust data that is send from there. I don't know how the rest of your code looks, but in your case it could be as easy as disabling JavaScript in the browser. But you could also use a tool like Postman or CURL to send custom HTTP requests directly, in which case you don't need a browser at all. – Ivar Aug 01 '20 at 08:57
  • Show us your server-side validation code. – m02ph3u5 Aug 01 '20 at 11:05
  • sorry, I think I misunderstood your point. what I meant was the captcha answer will be validated using 3rd partly server (captcha provider server like ReCaptcha) and if the answer to Captcha is correct it will return True flag so the submit button on my form can be activated and work fine. otherwise, the submit button is disabled and not working until the correct answer returns from 3rd part Captcha provider server. – Reza B. Aug 02 '20 at 00:54
  • A simple idea for beating these bots might be to give the form an action that fails and change it to the right action in the captcha callback. – pguardiario Aug 02 '20 at 00:56
  • on my front-end code, I only have the code which I posted above. I am not using any other validation apart from this. I want to know if this is sufficient or is there any method spammers can bypass my captcha and submit my form? thank you;) – Reza B. Aug 02 '20 at 00:57
  • @Ivar, in that technique you mentioned to use Postman, is this possible to submit the online form without opening it in a browser? and if I engage my captcha with the form? – Reza B. Aug 02 '20 at 01:02
  • @RezaB. When you submit a form (or make an AJAX request), an HTTP request is constructed which contains all the data that is send to the server. Postman allows you to create your own custom HTTP request. In that case, you don't have to deal with any JavaScript, because the request is not made from the browser to begin with. When someone does this, your Captcha is completely bypassed. If you have code in your server-side to validate that this Captcha was executed successfully, then this technique becomes useless. – Ivar Aug 02 '20 at 09:42
  • @Ivar many thanks for your valuable comment! it helped a lot me. we are working on a cyber security project and I would be much appreciated if I can connect with you to get more help on my project, is that possible?! – Reza B. Aug 02 '20 at 16:09
  • Glad I could be of help, but no, I don't think that's a good idea. – Ivar Aug 02 '20 at 18:18
  • @Ivar thanks, my final request please, would that be possible for you to check our website and see if wit this technique you can bypass the captcha and submit the form? this would help me to understand our problem! https://jobwallglobal.com/contact-us – Reza B. Aug 02 '20 at 23:11

0 Answers0