Got sick of multiple silly comments and decided to rid of them. Yesterday I added “Simple Google reCAPTCHA” plugin, so currently comment posting comment are protected by Google reCAPTCHA, Contact page is not secure yet. but I will implement some protection there also. I investigated with Wireshark how HTTP POST request of adding new comment is looks like now:
POST /blog/wp-comments-post.php HTTP/1.1 Host: ladydebug.com Connection: keep-alive Content-Length: 513 Cache-Control: max-age=0 Origin: http://ladydebug.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://ladydebug.com/blog/2019/07/30/create-catalina-macintosh-vm-on-oracle-virtual-box/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 comment=qwerty123&author=ladydebug.com&email=findword%40ya.ru&url=http%3A%2F%2Frussian.wordchaos.com&g-recaptcha-response=03AOLTBLSGUORYGWSTVZb-3w5dVs471BKkNkXK8l0OJoN741uwhp5NqMxej_4oiiHm1VOFAMwTvdesgxaIMldxw70iqPjxIXXVoPyUp8bSj4kV-mBu7lr75O6aXTXkdRFg64H4il2beTaR7HbYRbtOX0Ww05lIQTTH3leGvgAV_sRHQs0dKkEATPRaTXOntaxznVsPSAMWjQFHYM7Sq03UkT_5LVmyJxx7LFci24GPBNDvW2W99ezsoHFoNTBLWtDJzVNadFAoCKvovoRMjd28EC08VKEhOnv1z3HhApfYAH7Ora9NAry29v5XlBBD8my30hcGJF9l76GE&submit=Post+Comment&comment_post_ID=700&comment_parent=0 |
Now the POST request data contains additional g-recaptcha-response token which should be verified on the server side.