I'm trying to integrate Google reCAPTCHA Enterprise (without checkbox) into Vue3 based SPA.
JS is loaded in <head> tag as in the example in documentation. I see that reCaptcha code is successfully downloaded and launched, badge at the bottom of the screen stating that site is protected with reCAPTCHA is shown with no warnings.
I can request a token using grecaptcha.enterprise.execute(...) and I get the response as expected. Token seems to be "normal" and it's value is different on each request.
Then I send the token to backed and backend tries to verify it using plain REST API (same as in REST example in documentation, based on plain cURL example).
The response that I get always gives the same result:
"valid" => false
"invalidReason" => "DUPE"
Documentation does not really explain what this 'DUPE' reason means and how to avoid it. Does anyone have any clues what it really means and how to avoid it?
I've tried 3 types of site keys: test keys with low and high score, and "real one" ("test" unchecked).
I've tried 2 different browsers: Chrome and Firefox, both in normal and incognito mode.
I've tried just to wait for 3 hours (in case if I've hit some rate-limiting).
The result is always the same - invalidReason: DUPE
The DUPE reason means that (docs):
The user verification had already been seen.
In practice this means that once you received a token back from execute it was sent to the projects.assessments.create endpoint twice or more. The token will be assessed as valid the first time it is evaluated, but for any subsequent assessment calls with the same token it will come back as invalid with the DUPE reason.
Related
I am using Spring Boot and While I am able to set the cookie on the server, it is available in the response on the browser, however it is not submitted in the further request, and reason seems to be a sub-domain issue. I will detail it with exact issue and content
Requesting Page: http://stgapi.py.com
it makes a API call -> http://secure.stgapi.py.com
Cookies is set with
Domain-> .py.com Also tried with .stgapi.py.com
path-> /
This is visible in the browser, however in the subsequent call to
http://secure.stgapi.py.com the cookies are not submitted
and hence re-login is requested and enters an infinite loop of login and failure.
Any help is much appreciated, entire web says this is how it works, not able to make it work.
After much brainstorming, figured out that we need to set
("Access-Control-Allow-Credentials", "true")
And client(User-Agent) should also send withCredrentials:true
Further ("Access-Control-Allow-Origin") should not be set to "*" and only one value(origin) is supported.
Reason: Being the above example is considered to be CORS request and not the way it looks at the very first place.
I have the following API downloaded in JSON from Swagger Editor:
PUT http://10.37.64.243/m2m/fim/items/fim:device:manager/operations/getAllDeviceTypes?exclude={{exclude}}
with exclude being an environment variable set as : href,metadata,name,arguments
Nominal use requires basic authentication, in this case it works and I get a JSON body with expected result. It properly works in Postman (so I think my import is correct)
If no authentication is provided:
in Swagger Editor : nominal behaviour, request is rejected with error code 401
in Postman : UNEXPECTED behaviour, I end up with status code 200 and it returns a response body identical to the one that I get when authenticated
if I generate the cURL code snippet from Postman and launch it out of Postman: nominal behaviour, I get the same error as the one I get in Swagger Editor (the one expected)
Why do Postman behave differently from the cURL request ??
I probably do something wrong, but I can't figure out what
Thanks for any help
Alexandre
I finally found out that the server returns a cookie that holds authentication validation. So after a valid authentication, whatever the request (with or without authentication) it will be considered as authentified.
Unfortunately, the only way to overcome that problem is to remove the cookie by hand through the "Manage cookies" window. Postman does not implement a function that erase it (even through the pm.cookies and pm.cookies.clear() function).
Postman developpers are aware of that, but there's no scheduling for this feature ...
EDIT: the feature is followed here https://github.com/postmanlabs/postman-app-support/issues/3312
My Durandal SPA app performs BASIC authentication to acquire a session token which it then presents in headers to access Web API controller methods. This works fine.
On successful authentication I cache the access_token in localStorage so I can re-acquire it from local storage to preserve the session in the event of browser closure or refresh. The token is re-acquired but it is rejected by the server with an Unauthorized message.
This question starts by saying that the OP has successfully done what I am trying to do, so it's certainly possible, but the code he shows is a sample of (unsuccessfully) trying to do cookie mapping and I can't divine the nature of my problem from it.
One of the answers to this question says
Fortunately, WIF has a way to mitigate [replay attacks]. By configuring:
<identityConfiguration>
.......
<tokenReplayDetection enabled="true" />
.....
</identityConfiguration>
I do in fact have WIF installed on my development workstation, but I wouldn't know where to start looking for this setting. A search of my HDD found "tokenReplayDetection" in 17 System.IdentityModel related DLLs, but not in any config files.
Does anyone think this is in fact the problem and if so where does it live? Any other thoughts also gratefully received.
I've been looking on the web regarding CORS, and I wanted to confirm if whatever I made of it is, what it actually is.
Mentioned below is a totally fictional scenario.
I'll take an example of a normal website. Say my html page has a form that takes a text field name. On submitting it, it sends the form data to myPage.php. Now, what happens internally is that, the server sends the request to www.mydomain.com/mydirectory/myPage.php along with the text fields. Now, the server sees that the request was fired off from the same domain/port/protocol
(Question 1. How does server know about all these details. Where does it extract all these details froms?)
Nonetheless, since the request is originated from same domain, it server the php script and returns whatever is required off it.
Now, for the sake of argument, let's say I don't want to manually fill the data in text field, but instead I want to do it programmatically. What I do is, I create a html page with javascript and fire off a POST request along with the parameters (i.e. values of textField). Now since my request is not from any domain as such, the server disregards the service to my request. and I get cross domain error?
Similarly, I could have written a Java program also, that makes use of HTTPClient/Post request and do the same thing.
Question 2 : Is this what the problem is?
Now, what CORS provide us is, that the server will say that 'anyone can access myPage.php'.
From enable cors.org it says that
For simple CORS requests, the server only needs to add the following header to its response:
Access-Control-Allow-Origin: *
Now, what exactly is the client going to do with this header. As in, the client anyway wanted to make call to the resources on server right? It should be upto server to just configure itself with whether it wants to accept or not, and act accordingly.
Question 3 : What's the use of sending a header back to client (who has already made a request to the server)?
And finally, what I don't get is that, say I am building some RESTful services for my android app. Now, say I have one POST service www.mydomain.com/rest/services/myPost. I've got my Tomcat server hosting these services on my local machine.
In my android app, I just call this service, and get the result back (if any). Where exactly did I use CORS in this case. Does this fall under a different category of server calls? If yes, then how exactly.
Furthermore, I checked Enable Cors for Tomcat and it says that I can add a filter in my web.xml of my dynamic web project, and then it will start accepting it.
Question 4 : Is that what is enabling the calls from my android device to my webservices?
Thanks
First of all, the cross domain check is performed by the browser, not the server. When the JavaScript makes an XmlHttpRequest to a server other than its origin, if the browser supports CORS it will initialize a CORS process. Or else, the request will result in an error (unless user has deliberately reduced browser security)
When the server encounters Origin HTTP header, server will decide if it is in the list of allowed domains. If it is not in the list, the request will fail (i.e. server will send an error response).
For number 3 and 4, I think you should ask separate questions. Otherwise this question will become too broad. And I think it will quickly get close if you do not remove it.
For an explanation of CORS, please see this answer from programmers: https://softwareengineering.stackexchange.com/a/253043/139479
NOTE: CORS is more of a convention. It does not guarantee security. You can write a malicious browser that disregards the same domain policy. And it will execute JavaScript fetched from any site. You can also create HTTP headers with arbitrary Origin headers, and get information from any third party server that implements CORS. CORS only works if you trust your browser.
For question 3, you need to understand the relationship between the two sites and the client's browser. As Krumia alluded to in their answer, it's more of a convention between the three participants in the request.
I recently posted an article which goes into a bit more detail about how CORS handshakes are designed to work.
Well I am not a security expert but I hope, I can answer this question in one line.
If CORS is enabled then server will just ask browser if you are calling the request from [xyz.com]? If browser say yes it will show the result and if browser says no it is from [abc.com] it will throw error.
So CORS is dependent on browser. And that's why browsers send a preflight request before actual request.
In my case I just added
.authorizeRequests().antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
to my WebSecurityConfiguration file issue is resolved
I'm trying to post a feed on my wall or on the wall on some of my friends using Graph API. I gave all permissions that this application needs, allow them when i make the request from my page, I'm having a valid access token but even though this exception occurs and no feed is posted. My post request looks pretty good, the permissions are given. What do I need to do to show on facebook app that I'm not an abusive person. The last think I did was to dig in my application Auth Dialog to set all permission I need there, and to write why do I need these permissions.
I would be very grateful if you tell me what is going on and point me into the right direction of what do I need to do to fix this problem.
Had the same problem. I figured out that Facebook was refusing my shortlinks, which makes me a bit mad...but I get the point because its possible that shortlinks can be used to promote malicious content...so if you have shortlinks as part of your test, replace them w the full url...
I believe this message is encountered for one of the two reasons :
Your post contains malicious links
You are trying to make a POST request over a non-https connection.
The second one is not confirmed but I have seen that behavior. While same code in my heroku hosted app worked fine, it gave this #368 error on my 000webhost hosted .tk domain which wasn't secured by SSL
Just in case anyone is still struggling with this, the problem occurs when you put URLs or "action links" that are not in your own app domain, if you really need to post to an extarnal page, you'll have to post to your app first, then redirect from there using a script or something. hope that helps.
also it's better in my opinion to use HTTPS links, as sometimes i've seen a behaviour where http links would be rejected, but that's intermittent.
I started noticing that recently as well when running my unit tests. One of the tests I run is submitting a link that I know Facebook has blocked to verify that I handle the error correctly. I used to get this error:
Warning: This Message Contains Blocked Content: Some content in this message has been reported as abusive by Facebook...
But starting on July 4th, I started receiving this error instead:
(#368) The action attempted has been deemed abusive or is otherwise disallowed'
Both errors indicate that Facebook doesn't like what you're publishing.