0

The Google Recaptcha V3 docs shows the easiest way to implement is using what they call "Automatically bind the challenge to a button" https://developers.google.com/recaptcha/docs/v3#automatically_bind_the_challenge_to_a_button

From their example, the callback function handles the submit directly. Are they implying that you don't have to verify the token using their API with this method? Or is this example just to show how you can run a JS callback function, that has the token as an argument?

If you don't have serverside verification of the recaptcha token, you can just remove the recaptcha event from the button, and have the form submit as per usual without the token.

So in short, is the example from the docs unsafe, or is it just missing the serverside verification part?

Emil Østervig
  • 440
  • 4
  • 20

1 Answers1

0

Of course You have to verify it in the background.

Make the request to verify the response token as with reCAPTCHA v2 or Invisible reCAPTCHA.

How would you expect to do check if captcha was filled properly other way? By simple response to your script from javascript api? It would take 5 seconds to bypass that. Captcha is made to protect you from bots, not from browser users.

Let's imagine, that you are verifying the catcha response on client side (with javascript). You are getting some "true" from some function, that the captcha was correctly filled. And what then? Based on this you redirect user to one url instead of another? Or what would be your idea to make the captcha work as any protection? If you would do that, everyone could just go directly to the url, bypassing it. Or are you going to implement some session, server side protection. If so, why not to use the one that is already implemented in reCatcha? There is no way to make a script that would protect you from bots or spam without server side verification.

Flash Thunder
  • 11,672
  • 8
  • 47
  • 91
  • I mean this answers it, albeit in a kind of passive aggressive way. I can see requests being made in my recaptcha dashboard, so i was wondering if the "automatic" way was also communicating with the verification api. I understand that it's really easy to bypass, since it's relying on the submit button click event. I still feel like the docs do a really poor job communicating these things. – Emil Østervig Jul 16 '21 at 21:44
  • I'm sorry, wanted it to be clear, not to be aggressive. I actually am an expert in bypassing such a things, that's why my answer was in such manner. Didn't want to offend you. – Flash Thunder Jul 17 '21 at 13:51