0

Am trying to configure Recaptcha enterprise with WAF using cloud armor (with action tokens), but I have a problem, the cloud armor rule that validates the token/score never gets triggered if the domain validation is enabled on the recaptcha key. I have a very simple cloud armor policy:

Cloud armor rules

And the recaptcha key looks like a normal key with the WAF enabled: Recaptcha key

To get the token I just have a simple localhost site that just run the enterprise sdk and sends the token in the X-Recaptcha-Token header.

My problem is that, when the Disable domain verification is off, the cloud armor rules are never triggered (and for the LB logs it seems that the token does not even appear), so it only triggers the deny-all rule. But as soon as I enable the Disable domain verification then the rules are correctly triggered and the logs shows the score of the token.

Someone knows what could be happening?.

Some more info about my setup, the WAF is protecting an API thats running on Cloud Run (which is configured as a backend service inside the load balancer).

I also create an issue tracker here

Alejandro Barone
  • 1,743
  • 2
  • 13
  • 24
  • 1
    Cloud Armor does not check the domain list registered on the reCAPTCHA side. So the only option currently is to turn off domain protection. But if you think the domain protection is a must for you, then you need to wait for our feature enhancement. There are already internal discussions for the said feature. However, for feature requests there is no guarantee of any time frame for updates or that the requested feature will be implemented. – Siegfred V. May 11 '23 at 23:20
  • Thank you very much!, Is this mentioned on some documentation?, I couldn't find it :/. So when using a WAF Recaptcha Key (with cloud armor), its expected that the domain validation is OFF?, that does not let the recaptcha key a little bit vulnerable as mentioned in the guides? – Alejandro Barone May 11 '23 at 23:31

2 Answers2

0

As mentioned by Siegfred (thank you very much!), this is a missing feature on the integration between recaptcha enterprise and cloud armor and currently the only way to integrate them is by disabling the domain verification in the recaptcha enterprise panel.

As he mentioned this is a feature that should be developed (and its currently on internal discussions), hopefully they'll release it on the near future. Also its worth mention, that there should be a revisit on the documentation to avoid any misunderstanding, as this behavior is not mentioned explicitly.

There is still the issue I created on googles issue tracker here. So you can check from time to time to see if there is any news.

Alejandro Barone
  • 1,743
  • 2
  • 13
  • 24
0

As a stop gap, you could consider making a compound rule within Cloud Armor where you check that the domain name isn't the target property (meaning it is something else other than your desired hostname) and then add the recaptcha language:

request.headers['host'].matches('www.example.com') && token.recaptcha_action.score >= 0.8

This isn't as strong as doing the domain validation within ReCaptcha, but it essentially would mitigate domain hijacking.

Depending on what you wanted to do with potential hijacked requests, you could have a Cloud Armor rule that tests for the anti-pattern, e.g. domain doesn't match and then deny/redirect the request elsewhere. You would probably want this anti-pattern rule to fire before the recaptcha so as to dump unwanted requests before hitting reCaptcha evaluation.

!request.headers['host'].matches('www.example.com')
Dave
  • 434
  • 5