Recaptcha invalid-request-cookie - javascript

I'm trying to do Recaptcha in my page. I'm checking a demo with the localhost. But, I'm keep getting error as invalid-request-cookie always when checking. I'm following Displaying recaptcha without plugin and Verifying recaptcha without plugin.
Here is my code
<html>
<body>
<form method="post" action="http://www.google.com/recaptcha/api/verify">
<script type="text/javascript"
src="http://www.google.com/recaptcha/api/challenge?k=my_public_key">
<!-- I used my public key -->
</script>
<noscript>
<iframe src="http://www.google.com/recaptcha/api/noscript?k=my_public_key"
height="300" width="500" frameborder="0"></iframe><br>
<textarea name="recaptcha_challenge_field" rows="3" cols="40">
</textarea>
<input type="hidden" name="recaptcha_response_field"
value="manual_challenge">
</noscript>
<input type="hidden" name="privatekey" value="my_private_key">
<!-- I used my private key -->
<input type="submit" value="Ok"/>
</form>
</body>
</html>
In google, I saw that, invalid-request-cookie means The challenge parameter of the verify script was incorrect. But It seems to be correct. Is it right or is there any other mistakes? Someone help please

After reading this, I realized that the author of one of our forms was using a public key for a different domain we also have. So make sure you're using the correct public key.

I am using Google recaptcha in an ASP.Net environment. Here is my code snippet:
in head tag:
<script src='https://www.google.com/recaptcha/api.js'></script>
HTML:
<div class="g-recaptcha" data-sitekey="My***PUBLIC***SiteKeyBlahBlah"></div>
That's it! Google handles the rest of the magic. You can check the length of the grecaptcha.getResponse() function's return variable to see if the user clicked it. For example:
if (grecaptcha.getResponse().length == 0)
//They didn't do it
else
//They either did it or spoofed your page with some bogus HTML to make it look like they did - they can do this by editing the source of the page and inserting text in a certain spot. View your page source after loading in a browser to see what I mean.
To verify that they didn't just enter random text - and that the value of grecaptcha.getResponse() is a valid response from Google, just call their web service with your site key - and the response, itself. I'm doing it from the code-behind with C# like so:
WebRequest CheckCaptcha;
CheckCaptcha = WebRequest.Create(String.Format([Google's Web Service URL],
[Your ***Private*** Site Key],
[The value of grecaptcha.getResponse()],
[IP address]));
Stream strm = CheckCaptcha.GetResponse().GetResponseStream();
StreamReader sr = new StreamReader(strm);
string everything = sr.ReadToEnd();
JavaScriptSerializer JS = new JavaScriptSerializer();
CaptchaResponse GoogleResponse = JS.Deserialize<CaptchaResponse>(everything);
Next, to evaluate Google's response:
if (GoogleResponse.success.ToUpper() != "TRUE")
//Invalid - they are up to no good!
else
//Valid - you're good to go!
Calling their web service is probably slightly different if you're doing it from the client side, but it's the same principle. I hope this helps.

Related

reCAPTCHA - Incorrect key type

I want to secure the form on my website with a reCAPTCHA script. After adding the script and this window is displayed and in it an error - "Information for the website owner - we detected an Error: incorrect key type". I will add that the domain is correctly configured and added in the appropriate section of reCAPTCHA. This is a page written on Jekyll and here may be a problem. For the script to work there correctly you need an encrypted private key - and there may be a problem. I tried to generate the key several times but nothing helped - still the same error. I created new V3 keys and checked. But that too didnt work. Any idea on how to solve this problem?
My code:
... form ...
<input type="hidden" name="options[reCaptcha][siteKey]" value="6LfF_7AZAAAAAK796nWHg-K4DkjG_-pnlfEH7Ch0">
<input type="hidden" name="options[reCaptcha][secret]" value="KX02DlLiKdqKkMkyAThrIVhjP9zydIZ/KC0copPjpdkkA1cX+zy5loEpg+c618R5kZMKXlelpN/2GDItQWNy4alUGQCtP8k8GTioTtZVmuNXal5sbP1OPkXFKof+6auTz5cfeFs2XRkrQlduNAw/Bc0TB/7RiZNOjMNGBSmbKWc=">
<fieldset class="security">
<div class="g-recaptcha" data-sitekey="6LfF_7AZAAAAAK796nWHg-K4DkjG_-pnlfEH7Ch0"></div>
</fieldset>
... end form ...
<script type="text/javascript">
var onload = function() {
grecaptcha.render('html_element', {
'sitekey' : '6LfF_7AZAAAAAK796nWHg-K4DkjG_-pnlfEH7Ch0',
'theme' : 'dark'
});
};
</script>
<script async src="https://www.google.com/recaptcha/api.js?onload=onload"></script>
(Old keys - i generated new)
Link to the page
Link to the repository
(The form is in every post)
I'm solved the problem - now I using the reCAPTCHA v2 - Checkbox. Change of the version solved the problem. Generating new keys for v2 version solved this problem. Captcha displays and works correctly.

How can I successfully perform an xss attack on a dummy website?

in my security course, we were told to practice an xss attack using firefox on this website;
http://permalink.co/
No worries, this is a website specifically setup for us to practice security. The csrf field you see should be set to 1 (for token validation, token is random) and the xss field should be set to 0 for this practice. We should write an html file and include other languages like javascript, such that when our file is executed by the browser, it should just display a blank page. But when refreshed, it should show that we are logged into the website I gave above. The username is 'attacker, and the password is 'l33th4x'.
I basically need to lock in password, username, and token. I came up with a plan to use a cookie and set the token to 'abc'. So, when I come to login, i use the username and password that I know with token=abc that I knowingly set. But my code doesn't work, I was told I need two forms, first one for setting the cookie token to 'abc' and second one for logging in using the three parameters. But I don't see what to put in the 1st form. I came up with the code below but it doesn't work, I need help;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title> set csrf to 0 and xss to 4 on http://permalink.co/ </title>
</head>
<body>
<iframe style="border:none;width:0px;height:0px" id="iframe_submit" name="iframe_submit"></iframe>
<form id="form_id" action="http://permalink.co/login" method="POST" target="iframe_submit">
<input type="hidden" name = "csrf_token" value="abc"><br>
<input type="hidden" name = "username" value="attacker"><br>
<input type="hidden" name = "password" value="l33th4x"><br>
</form>
<script type="text/javascript">
document.setcookie="csrf_token=abc";
document.forms["form_id"].submit();
</script>
</body>
</html>
For a first hand view of the question, visit the website below and look for number 2.1. This was due last month but I didn't understand it and exams are approaching;
https://www.eecs.umich.edu/courses/eecs388/static/388-w15-proj2.pdf

Yahoo Merchant Store Catalog Tags Insert Dynamically with Javascript, Jquery, or Ajax

I opened up a yahoo store through their Merchant Service. They have a pretty good store catalog that I have used on a business site that I own. I like it so I decided to use the service again on another business I own. I got the site built but have ran into a few issues with calling the Yahoo Catalog Tags. The tags are basically comments. EX: (<!--#ystore_order id=item_id -->). When the site is loaded it is parsed and the page loads the product details in place of this tag/comment.
I can get everything to work except for the action attribute of my form.
I have tried a bunch of things but I cannot seem to get the action set for my form. If I hard code the tag then it works fine but obviously if I did that then I would have to create a page for every single product.
My form:
<div id="list">
<form method="post">
<input id="btnSubmit" type="submit" value="Add To Cart">
</form>
</div>
Trying to add the comment/tag to form action attribute. I've done it this way(below) and also by getting rid of the variable and just paring the url in the jquery attr function.
<script language="javascript">
$.ajaxSetup({cache: false});
$(document).ready(function(){
//Get URL from URL Query String.
var obj = getUrlVars()["Object"];
//Set form action attribute
$('form').attr('action', '<!--#ystore_order id='+ obj +' -->');
});
</script>
I've also tried creating the form dynamically.
<script language="javascript">
$.ajaxSetup({cache: false});
$(document).ready(function(){
//Get URL from URL Query String.
var obj = getUrlVars()["Object"];
var new_form = '<form method="post" action="<!--#ystore_order id='+obj + ' -->">' +
'<input type="submit" value="Add To Cart" id="btnSubmit">' +
'</form>';
$('#list').append(new_form);
});
</script>
I have tried to escape some characters but have had no success there either.
"\<\!--#ystore_order id='+obj + ' --\>"
I know the issue has something to do with the comment syntax but if I can add it manually then I should be able to do it dynamically. I know this is a hard one to test but if anyone thinks they may have a solution I would be happy to set up an ftp account on my site so you can test and I will provide the product ID's for testing. I've fought with this for about 30+ hours.
Yahoo store tags are populated server-side. Adding a store tag on the client side using Javascript won't do anything, because the code that recognizes the store tag and appends the appropriate html will never see the tag you drop in on the client side. There's no client-side solution possible
The best solution here would be to write a server side program to populate a template with the appropriate tag in response to http requests. I'm not super-familiar with the Yahoo store, so I don't know what the best language for this would be, but it would be a very simple program given how straightforward it sounds like your template is. Since this is already embedded in a site you own, I'd just use whatever backend language you are already working in.
Once you have a server side script that executes and returns the html you need, you could use AJAX to populated it with the appropriate product details as needed.

Integration of braintree causing issues

I'm working on Braintree for the first time and getting issues in very first step. I'm not able to access dropin functionality and other..
I need help to sort it out.
I followed steps given here : https://developers.braintreepayments.com/javascript+php/start/overview
First step is Javascript Client! - I followed as mentioned, added script
<script src="https://js.braintreegateway.com/v2/braintree.js"></script>
Then added HTML part
<form id="checkout" method="post" action="/checkout">
<div id="dropin"></div>
<input type="submit" value="Pay $10">
</form>
And at last I've added below script in script tag.
braintree.setup("CLIENT_TOKEN_KEY", 'dropin', {
container: 'checkout'
})
I have checked with Client Token Key obtained from our server.
for next step, I added configurations as mentioned
Braintree_Configuration::environment('sandbox');
Braintree_Configuration::merchantId('use_your_merchant_id'); //updated with our merchant id
Braintree_Configuration::publicKey('use_your_public_key'); // updated with our public key
Braintree_Configuration::privateKey('use_your_private_key'); //updated with our private key
then added
$clientToken = Braintree_ClientToken::generate(array(
"customerId" => $aCustomerId
));
Now, Issues I'm getting -
When I updated $aCustomerId with our customer id, I got a Fatal Error of "customer_id" field undefined in Braintree_ClientToken. So removed array("customer"=>$aCustomerId) and got the client token..
That client token is used in brantree.setup('TOKEN_KEY','dropin',{container:'checkout'}) and got
Error: Unable to find valid container. -braintree.js(line 18)
I also mentioned once var braintree = Braintree.create("CLIENT_TOKEN_KEY"); above brantree.setup('TOKEN_KEY','dropin',{container:'checkout'}) at that time I've got TypeError: braintree.setup is not a function
I'm trying to sort it out this from last two days, but still I didn't get dropin screen as showed in demo.
Hope for good help..
Place all the scripts after the html / footer section, this will work:
<?php
require_once 'braintree-php-2.30.0/lib/Braintree.php';
Braintree_Configuration::environment('sandbox');
Braintree_Configuration::merchantId('-----------');
Braintree_Configuration::publicKey('-----------');
Braintree_Configuration::privateKey('-----------');
if(isset($_POST['submit'])){
/* process transaction */
$result = Braintree_Transaction::sale(array(
'amount' => '234.00',
'creditCard' => array(
'number' => '30569309025904',
'expirationDate' => '05/14'
)
));
if ($result->success) {
print_r("success!: " . $result->transaction->id);
} else if ($result->transaction) {
print_r("Error processing transaction:");
print_r("\n code: " . $result->transaction->processorResponseCode);
print_r("\n text: " . $result->transaction->processorResponseText);
} else {
print_r("Validation errors: \n");
print_r($result->errors->deepAll());
}
}
$clientToken = Braintree_ClientToken::generate();
?>
<html>
<head>
</head>
<body>
<div id="checkout" method="post" action="/checkout">
<div id="dropin"></div>
<input data-braintree-name="number" value="4111111111111111">
<input data-braintree-name="expiration_date" value="10/20">
<input type="submit" id="submit" value="Pay">
<div id="paypal-button"></div>
</div>
<!-- Scripts -->
<script src="https://code.jquery.com/jquery-2.1.1.js"></script>
<script src="https://js.braintreegateway.com/v2/braintree.js"></script>
<script>
braintree.setup("<?php print $clientToken; ?>", "dropin", { container:
jQuery("#dropin") , form: jQuery("#checkout") ,
paymentMethodNonceReceived: function (event, nonce) {
// do something
}
});
</script>
</body>
</html>
I had this problem and solved it by putting the javascript at the end of the page. The alternative would be to enclose it in a document ready test.
The problem occurs because the braintree code tries to find the container as soon as the script is loaded. But if your code is in the head of the document, the container won't have been loaded, so it won't find the container and you'll get an error.
The comment about base64_encoding is incorrect. It works perfectly if the code is triggered after the container has been loaded without mucking around re-encoding an already encoded string.
I work at Braintree. Feel free to reach out to our support team if you have more questions.
The first error you were seeing, Unable to find valid container., will be thrown if the JavaScript cannot find the container you provided. The accepted values for a container are an ID string, DOM node, or jQuery object. Your example code should work, but if it doesn't you could try to pass in a different format, {container: $('#dropin')} for example.
Once you're sure you are passing in the correct container, I'd also recommend making sure you're interpolating in your client token correctly. If you view source on your page, your client token should be a base64 encoded string.
You want to make sure your <script src="https://js.braintreegateway.com/js/braintree-2.32.1.min.js"></script> is as close to the bottom of the page as possible. Right above your tag, if possible. This gives your browser time to load the DOM and then load the Braintree SDK.
Next you want to specify the "container" by passing in the container property to the setup() method. Something like this:
let checkout;
braintree.setup('CLIENT_TOKEN_KEY', 'dropin', {
container: document.getElementById('dropin'), // <- This line here.
onReady: function (integration) {
checkout = integration;
console.log(checkout)
}
});

Submit HTML form to display entered info in new page

I have a HTML form (called form.html)and a JavaScript function such that when form is submitted, information in that form will be displayed.
Now I want all those info will be shown in new HTML page (called confirm.html), where should I go from?
NOTE: No php or sever-side or anything that really seriously related, it's just simple OFFLINE HTML-form problem, I just have 2 html place in same folder, I will test it on my browser, that's it. Only thing that I worry is how to use information from form.html file in confirm.html file since they are obviously separated.
Thank you very much, here is my form.html ( I dont have confirm.html yet)
<HTML>
<HEAD>
<TITLE>Contact</TITLE>
<script type="text/javascript">
function addtext()
{
var fname = document.myform.first_name.value;
var lname = document.myform.last_name.value;
var email = document.myform.email.value;
document.writeln("Thank you! You have just entered the following:");
document.writeln("<pre>");
document.writeln("First Name : " + fname);
document.writeln("Last Name : " + lname);
document.writeln("Email Address : " + email);
}
</script>
</HEAD>
<BODY>
<center>
<b>CONTACT US</b> <br></br>
<form name="myform">
<label for="first_name">First Name </label>
<input type="text" name="first_name" maxlength="50" size="30">
<br>
<label for="last_name">Last Name </label>
<input type="text" name="last_name" maxlength="50" size="30">
<br>
<label for="email">Email Address</label>
<input type="text" name="email" maxlength="80" size="30">
<br>
<input type="submit" value="Submit" onClick="addtext()">
</form>
</BODY>
</HTML>
Check out the window object of JavaScript: http://www.devguru.com/technologies/javascript/10855.asp
It has a property location, if you write into it, your browser will redirect:
window.location = "http://www.google.com";
Note though, that this will not post your data to confirm.html. what you are trying to do without server-side scripting is not very useful. An HTML form will use CGI (common gateway interface) to send data to a server, that can then process the information. If you use the file:// protocol (as you seem to be doing; all local, static files), there is no server-side to process the data, only JavaScript.
If using the GET method of sending the data through CGI, you could extract the data from the URL using javaScript (as mentioned in another question). To do this, just update your form like this:
<form action="confirm.html" method="get">
And do not put a onClick handler on the submit button, just let it submit.
Many other tools exist though that way more are suitable for the job: server-side scripting languages, examples include PHP, ASP, JSP. For local setups, your best best is using XAMPP.
If you don't want to rely on server-side technology, this becomes more complicated (and hacky, I might add). Probably the easiest would be to generate a url like this on submit -
http://localhost/confirm.html?first_name=val1&last_name=val2&email=val3
then add some code to confirm.html to unpack this. Here's a related question you may find helpful.
If you'd allow me a moment of editorializing, what exactly are you trying to do? If this is just a personal project to see how html works, then I'd strongly recommend starting to learn about server-side technology - once you start wanting to handle user data and persist state, you're pretty much forced to use the server. The web is by design pretty stateless; you can't pass variable in-between pages without either using the server, or through some very complicated AJAX & DOM updating techniques which tend to rely on specialized server files anyway. You can run a PHP & MySQL server locally using existing technology, and if you're interested in expanding your knowledge of web technology this is an inevitable step.

Categories

Resources