CAPTCHA or enough is enough

By | August 6, 2019

Got sick of multiple silly comments and decided to rid of them. Yesterday I added “Simple Google reCAPTCHA” plugin, so currently comment posting comment are protected by Google reCAPTCHA, Contact page is not secure yet. but I will implement some protection there also. I investigated with Wireshark how HTTP POST request of adding new comment is looks like now:


POST /blog/wp-comments-post.php HTTP/1.1
Host: ladydebug.com
Connection: keep-alive
Content-Length: 513
Cache-Control: max-age=0
Origin: http://ladydebug.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://ladydebug.com/blog/2019/07/30/create-catalina-macintosh-vm-on-oracle-virtual-box/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

comment=qwerty123&author=ladydebug.com&email=findword%40ya.ru&url=http%3A%2F%2Frussian.wordchaos.com&g-recaptcha-response=03AOLTBLSGUORYGWSTVZb-3w5dVs471BKkNkXK8l0OJoN741uwhp5NqMxej_4oiiHm1VOFAMwTvdesgxaIMldxw70iqPjxIXXVoPyUp8bSj4kV-mBu7lr75O6aXTXkdRFg64H4il2beTaR7HbYRbtOX0Ww05lIQTTH3leGvgAV_sRHQs0dKkEATPRaTXOntaxznVsPSAMWjQFHYM7Sq03UkT_5LVmyJxx7LFci24GPBNDvW2W99ezsoHFoNTBLWtDJzVNadFAoCKvovoRMjd28EC08VKEhOnv1z3HhApfYAH7Ora9NAry29v5XlBBD8my30hcGJF9l76GE&submit=Post+Comment&comment_post_ID=700&comment_parent=0

Now the POST request data contains additional g-recaptcha-response token which should be verified on the server side.

Leave a Reply

Your email address will not be published. Required fields are marked *