I have a form that submits to a POST action URL I don't have control over, which leaves server-side validation on that URL out of the question. I need to be able to pass a pen test with reCaptcha and am curious if the below scenario would work.
One idea I had was to do all the normal client-side reCaptcha validation using the callback response and then enabling the submit button via JS.
That button would preventDefault() to submit the form to a different PHP file (via ajax). That PHP file would perform proper server-side validation, then based on the response submit the form to the main post url on the success ajax response or not via the error response via JS.
I could also load the form without a POST URL then populate the URL in the DOM based on the success ajax response prior to JS submit.
Does anyone have any better ideas or other ways I can validate recaptcha server-side even if I don't have control over the main POST URL?
Or do you think that client-side only validation could pass a pen test?
Thanks in advance for any input.
Related
Due Diligence
Just to be clear I have searched for the answer to this question and found these great questions that unfortunately do not help me.
Submit form including file upload via jQuery ajax
jQuery AJAX submit form
jquery using ajax to send data and save in php
jQuery AJAX submit form
Setup
I have a system for pulling form values and posting them via ajax. A simple snippet may look something like:
// Values
var url = '/ajax/my/controller'
var values = myStuff.getFormValues($form);
// Post
$.post(url, values, function($response)
{
if ($response['status'])
{
// Success
}
else
{
// Validation error.
}
}, 'json');
My getFormValues functions runs some custom processing to make sure I only send the information I need so I am keen on keeping it. It is probably similar to the jQuery 'serialize' function but much simpler and with custom processing.
The Problem
My get form values function basically does a $('selector').val() to get the form values. Which does not upload the file fields. It returns a fake path like C:\fakepat\filename.png. This of course will not work. I need to actually submit the file as part of the ajax post operation.
The question
Without switching to jquery serialize (since it doesn't fully support files anyway) and without using any other libraries such as jquery form, How do I obtain the file from the file field and post it using ajax?
Simplified, how do I simulate the behavior of a standard file field submit with an ajax post?
I have a Django form, which sends the form data to an external source(to be more precise, it is a PayPal payment form). The user enters the price for the product, clicks on the button and the POST request is send to PayPal triggering the normal payment process.
Now I want to use OTP (like Google Authenticator) to validate each payment.
How should the validation be realized? I thought of several scenarios, but none of them is really satisfying:
Should I send the request first to my site, validate the OTP and then redirect the User to the PayPal site with the data via a POST request, coming with the request? Problem: POST requests are not meant to be redirected and I don't know, how to realize it in django.
Should I write JavaScript code, which sends an ajax request to my site, and "activates" the form on success? Problem: smarter users could just activate the form from the browser console, without sending the ajax request. Does anybody know some kind of activation trick in JavaScript, which is not "hackable"
I would be glad to hear some more solutions from you or some suggestions, how the solutions above could be realized without the problems mentioned.
EDIT - My Solution so far:
I have done a work around and split the form in two. The first form checks the OTP and sends the data to my internal django view. It also creates a model instance with an generated invoice, which can then be checked in the PayPal IPN routine. The second form is a PayPal payment form, which sends the POST request to PayPal. You can find the simplified code in the following Github-Gist:
https://gist.github.com/BloodyD/2cd15f38d0f666cf3a73
First method - normal redirection after POST:
I don't know why do You think that there shouldn't be any redirect after POST request? In django it happens all the time, without that each page refresh directly after adding something to database will trigger adding it one more time.
To redirect user into proper paypal page, you can just send HttpResponseRedirect instead of normal response when form is submitted with valid form data. If not, display some error messages.
2nd solution: using javascript.
You can send url to redirect to (paypal url) in AJAX response, so user won't be able to bypass this. Simply put some form submitted by AJAX, if it returns URL to redirect, just redirect user. If not, display error message.
In the simple javascript drop-in UI, when the form is being submitted, braintree.js will intercept the form submission and inserts a hidden field named "payment_method_nonce" into the form, before the submission actually goes to the server.
However, when using the AngularJS as the frontend framework, I generally don't want the form submission to directly go to the server and then do a page reload. Instead, I want my AngularJS function to intercept and deal with the form submission (e.g., via ng-click or ng-submit), AND in its processing it needs to retrieve and use the "payment_method_nonce" value.
I tried it and it can still intercept the form submission. However, it seems like AngularJS intercepts the form submission BEFORE braintree.js does and inserts the "payment_method_nonce" field.
Hence, my AngularJS code that responds to the form submission cannot retrieve that "payment_method_nonce" field and perform appropriate processing. Any suggestions on how I can work around this?
Thanks!
After reading more braintree docs, it turns out registering a paymentMethodNonceReceived callback when setting up the braintree gateway is the right way to go!
I have name and email id fields and want to post data to server to another website (if fields are valid) using form tags but i already have one form tag with runat="server", using second form tag causes second form to not show on page. I have JavaScript code to post data to server on form post. I saw something using action on button click, but how do i post data on button click
P.S I don't want to use iFrame, popup.
To send POST data on a form submit, try to use a submit button like this:
<input type="submit" value="POST_DATA" name="POST_PARAMETER_NAME">
Replace POST_DATA with your data you want to submit and replace POST_PARAMETER_NAME with the parameter name you want to access the data on the server.
If you already have a form on the page that uses asp.net web forms to communicate with the server then you would probably need to make an ajax request if you want to post back different data. This is quite easy these days using jQuery. The link bellow shows you how you may do this and how to create a web forms page that would accept your post. This way your current form and page would not need to change which is what it sounds like you are after.
http://encosia.com/using-jquery-to-directly-call-aspnet-ajax-page-methods/
I would like to fill in and submit a form on a web page using python. The form I want to interact with has several drop down boxes which are filled using JavaScript. I have looked at the mechanize library but it doesn't handle JavaScript. Can you suggest an alternate library/method for interacting with the form?
Cheers,
Pete
Selenium RC or Windmill (http://www.getwindmill.com/)
Examine the form's returned GET or POST values;
use urllib2 to submit synthesized requests directly.
The form effectively sends information back to the server (or maybe somewhere else) after you press the submit button.
I don't know how you would directly interact with the form, but you could just send the information back to the server in the same way as submitting the form would (without actually submitting it or physically pressing on things).
So for example some forms put the parameters specified in the form (and their values) at the end of the url in the HTTP request once submitting the form. Others put the parameters in the body of the HTTP request. In PHP i know that PHP automatically takes these parameters out for you (into a global array).
In this case you would simply put your own version of the parameters (names/values) in the HTTP request, by looking a what names/values there are in the forms source code.
Although the form may send its information to the server using javascript...
Sorry if that made no sense.