recaptcha v3

hmm from what i see we are trying to solve recaptcha v3 as recaptcha v2, is it intended?

Comments

  • SvenSven www.GSA-Online.de
    I still don't know what the difference is really and how to detect it.
  • SvenSven www.GSA-Online.de
    ok will have a look after weekend...im already at home sorry.
  • SvenSven www.GSA-Online.de
    OK, based on 2captcha I would need 4 things:

    • site key - got it from html source
    • url  - got it from html source
    • action - can extract from source I guess?
    • min_score - !?
  • Recaptcha v3:

    https://developers.google.com/recaptcha/docs/v3#score

    Score is something that recaptcha script calculates.

    I guess min_score is something that we should setup manually, score is verified on the backend of the website using recaptcha, so it can be anything the owner wants, the less the score = the more likely it is a bot.


    From what i understand, action can be anything, but how i understand how Recaptcha v3 works (ive used it in my app once).

    1. Load the Google JS script on your website.
    2. Setup in your html code when the script should generate a token (grecaptcha.execute) ( usually on the form submission), then add that token in your form.
    3. On the backend send the token to Google API and get back a response with score and other params.
    4. Verify on your backend if you want to allow the submission or not.
     
    Actions; i guess they can be empty aswell, they are just a context that you can work with.

    https://developers.google.com/recaptcha/docs/v3#actions
    grecaptcha.execute('reCAPTCHA_site_key', {action: 'homepage'})
    

    It is all i remember from coding Recaptcha v3 into my own form.
    Please correct me if i am wrong.
  • SvenSven www.GSA-Online.de
    hmm the score is the problem then, because I cant execute javascript and don't want to anyway.
  • Then disabling Recaptcha v3 is the way to go right now, we won't waste time on solving v3.
  • Maybe with a custom log "recaptcha v3 detected skipping" ? If you still didnt figure a way to filter out v3, let me know i can dig.
  • andrzejekandrzejek Polska
    edited July 18
    Maybe a global page must have to define in main folder (in a text file)?
  • SvenSven www.GSA-Online.de
    global page?
  • global "page must have" that we can define in a file, still talking about skipping recaptcha v3
  • SvenSven www.GSA-Online.de
    next update should skip recaptcha v3
  • That sounds great, what did you manage to get it working?
  • Also, when sending a Recaptcha with a BAD SITE KEY we are charged in some captcha services (antigate, decaptcha). Maybe SER could check if the KEY is valid before sending? 
  • SvenSven www.GSA-Online.de
    the key is extracted from website best as it can be...the key is also checked for having a certain fixed length and format...I cant do much more than that I guess.
  • andrzejekandrzejek Polska
    edited August 14
    Yes, but imagine now:

    1. Send a BADSITEKEY (either is wrong / expired or it is recaptcha v3) -> we are charged
    2. If we have retries, SER will retry -> we are charged.
    3. Time is wasted, more flagging potential, form re-submission.

    If you think it is a good idea to verify the sitekey in SER, i will look into the best method to verify that, if not, please tell me why, and i will try to convice you.

  • SvenSven www.GSA-Online.de
    well sure let me know how you would try to verify it and I see if that works or I can add.
Sign In or Register to comment.