Has there anyone come out with a good way to bypass a Recaptcha check in a page to launch a bot test?
Basically, I want for a particular bot (for which I know the IP address) to bypass a google recaptcha check and not sure what would be the most apropiate way of doing it.
I have seen this question How to bypass recaptcha human check in nightwatch test?
but it does not seem to give a clear anwser.
Thanks
EDIT
I am referring myself to the invisible recaptcha that will show some random images and thus the bot will not know where to click to pass the check.
It looks like there is a special set of test keys you can use.
If you configure your testing environment to use these keys, reCaptcha will always return a valid response.
Excerpt from the link below:
With the following test keys, you will always get No CAPTCHA and all
verification requests will pass.
Site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
Secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
The reCAPTCHA widget will show a warning message to claim that it's
only for testing purpose. Please do not use these keys for your
production traffic.
https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do
As long as you have control over the server:
You can create a if check when validating the captcha on the server side. So when you make the call to google, surround it with an if() check that checks for the current IP, and if it matches a certain IP, or an array of IP's then ignore the validation.
if($_SERVER['REMOTE_ADDR'] !== 'x.x.x.x') {
//Code that checks captcha and returns error if invalid
}
Related
I am currently learning to make DRF APIs for something I am working on. I was wondering how exactly I would secure the API POST requests I send via the client side?
For example, let's say I have a log in form where the user can enter their information, this information needs to be send to (or POST-ed to) my API for verification. I do not want just anyone sending requests to the server and so, I would want to use an API key but since this is being done on a website, anyone could see the API key if they wanted to, and then exploit the server by sending a ton of requests.
My current idea is to use serializes in DRF to check if the API POST request has everything it needs but I am fairly certain this can be easily found by checking what sort of JSON my code sends to the server, so how exactly do I go about securing this such that I can send the information to the bare domain (like http://127.0.0.1:8000) and then have code which can accept that information?
I apologize for any confusion, if it is confusing. Let me know if you need any clarification.
If you are creating API any one can send request to server. same goes for website and webpage. Their is no way you can avoid this. But their are ways to handle possible misuse.
like using CAPTCHA for login form which can be filled by one on the web. though wrong CAPTCHA text can be send by anyone you must check it on server for their correctness. or use google reCAPTCHA like services for outsourcing this task.
API key should be given after login NOT before login. and if it is given after successful login then the key is obtained by legitimate user which can obviously do whatever he is allowed to do on website. their should not be problem in that.
further explanation to the question will lead to details of denial-of-service i.e DOS attack. you should consult expert on that field if your application requires to handle DOS attack.
I'm using Firebase auth to control access to my app and it's been working great and was easy to implement. Now that I'm bringing real testers on, I've got a question.
When a user registers, I'm forcing email verification and that all works fine. I've even found how to somewhat customize the email that user receives asking them to verify their address. However, when the user clicks that link, they get a very generic message:
Your email has been verified
You can now sign in with your new account
Is there any way to customize this? I don't want to do anything particularly fancy - just a more helpful message and maybe a link to return to the app.
Thoughts?
If you mean the web page that they get to when they click the link, there is no way to customize the existing page. But you can create your own page, and host it (for example on Firebase Hosting). For full documentation on this process, see the documentation on creating a custom email action handler.
We have a site that uses a "one-time" login process for password resets which are not initiated by the user themselves. (for instance, a password reset that is initiated by an admin or another employee) A URL is sent to the user via email which can then be used to reset their password. The URL can only be visited one time. (there's more to this for security-sake but I'll keep it simple) Recently, some users have complained that when they visit the link, it has already expired. The end result is that they can't reset their passwords using this feature. We discovered that the users in question have a spam filter or "link checker" in their environment that they do not have access to. This device visits the one-time link before the user is able to, to make sure its safe.
I'm trying to solve this issue and was wondering if there's a way I can detect these type of devices on the web server when the request is made? When the spam filter visits the link, is there something in the http request that would stand apart from a regular browser? Maybe they all use a specific custom HTTP header? Or maybe there's a regex I could use on the user agent? I haven't been able to catch one of these yet, so I'm not sure what the request looks like coming from a spam filter.
Anyone know of a way to detect spam filters of any vendor by looking at the http requests? I know it's a long shot but maybe they all use a specific header for reasons such as this?
I got approval to modify the design to remove the one-time aspect of the URL. This solves the issue and saves me the headache. Thanks for the suggestion, #PeeHaa
So I am writing some E2E tests for creating an account on a website. After creating a website account, the website will send me an email to verify my account so I can login. My question is, how far is E2E testing suppose to go? would I be going in the wrong direction if I use protractor to go to google, find the email, and click the link to verify myself. Then go back to the website and login? My other possible option would be to somehow get my userID and then send a request for verification?
I'm just not sure which direction would be best. Any ideas?
It is pretty much arguable how far your tests should go. But if there is a critical to testing information being sent on email, you should consider extracting that information during the test run.
In other words, this is so called "end-to-end testing", but both of the ends could be beyond the borders we are used to think and consider.
Here is the solution using mail-listener2 nodejs library that worked for me during the Two Factor Authentication functionality test (registration code is sent to an email after passing username/password verification step).
Personally I do test that a verification email gets sent with the correct contents — I do not, however, login at Google, to find the email. Instead I've exposed a server side function that returns the latest email it sent to a certain email address. Here's how I use it:
b.get(origin + '/-/e2e/last-email-sent?to=' + address, (response) => {
var responseObj = JSON.parse(response.body);
// Now I have the email text in responseObj.bodyHtmlText.
// Let's extract the URL to the next page:
// (it's the first thing we find that starts with our server origin, i.e.
// http://whatever/....)
var regexString = originRegexEscaped + '\\/[^"]+';
var matches = responseObj.bodyHtmlText.match(new RegExp(regexString));
if (!matches) {
b.assert.fail(responseObj.bodyHtmlText, regexString,
'No next-page-link regex match in email');
}
else {
// Tell our e2e browser to go to the page linked in the email
// as if the user had clicked the link in the email.
b.url(matches[0]);
}
});
I'm going to add lots of other funny e2e test server side functions too, like /-/e2e/fast-forward-time?how-much=3600-seconds :-)
What I do test, with a real Gmail user (a real Gmail account I created for e2e tests and nothing else), is just signups. I.e. that OpenAuth login works. If that works, I'm going to assume any Gmail user is thereafter able to read emails.
I would like to make a vb .net application that auto logs into places and retrieves data from them. I have already succeeded in doing this by opening internet explorer programmably and tabbing to enter name and password. But this is messy, and needs to be well timed. I'm using VB .Net. Is there a way to interface with sites to auto login. Maybe I could inject a cookie, but then the browser could change. Any suggestions would be very helpful. Thanks
Well, it really depends on what authentication scheme the sites use. It is possible to pass a Credentials object with an HttpWebRequest which can be used to authenticate against sites that use basic authentication, windows authentication and similar. But I can't think of a reliable way that would work for any and all sites.
May not be something you'd consider, but the ideal tool for you is Selenium rather than reinventing the wheel and writing your own version in VB.net.
Best thing to do is have a quick look at that link, see what you think.
'In vb.net...add a webbrowser control. Then use
webbrowser1.navigate("www.gmail.com")
'Then in the webbrowsers document completed event paste something like this.
'where I wrote "123456" you will put the id of the html element for the username textbox.
'where I wrote "abcdef" you will put the id of the html element for the password textbox.
webbrowser1.Document.GetElementById("123456").InnerText = "yourusernamehere"
webbrowser1.Document.GetElementById("abcdef").InnerText = "yourpasswordhere"
webbrowser1.Document.DomDocument.forms(0).submit()
WatiN could be used for some of what you describe but I think almost anything will be messy unless you can find a way to do a silent login where some token is passed along to impersonate someone.
And CasperJS and PhantomJS may be a way forward too. Using a headless browser you can identify steps in JavaScript you would like to perform at a Website. Useful for interaction through to scraping.
Is there a way to interface with sites to auto login.
Yes, there is. Well, its just a POST HttpRequest or OAuth token.
You can always use direct POST requests with the required headers for any token auth. You can also test these command with cURL from the CLI.
~Without taking VB.net into account~, you can auto login to a website
by using:
Autologin via Keypass - http://keepass.info/ or https://www.keepassx.org/
Keypass automatically opens the login URL of the website, fill the login form and submits it.
Select website from your list, then press CTRL+U & CTRL+V - and you are logged in.