ReCaptcha, Google’s Captcha solution

May 6, 2019 Leave a comment

Google actually has a really easy Captcha system. As long as you have access to PHP or another form of server-side scripting available, it is fairly secure and all the reliability you associate with a major software distributor.

Here are the bullet points:

  • You need to register with Google at https://www.google.com/recaptcha/intro/v3.html, so that the script will work, based on the website it is on.
  • They advise that you use a different key for development, which might use locahost
  • The checkbox you’ve seen everywhere, where it asks “I am not a robot” is as easy as 1 script tag, AND 1 HTML DIV.
  • It uses data-mined intelligence to determine if you require to be asked to recognize object in an image, after you click the button.
  • If you wish additional actions on the browser, after Google has verified you are not a robot, this is 1 additional javascript function
  • When Google verifies you not a robot, this callback function mentioned prior should have one parameter, for the g-recaptcha-response
  • This g-recaptcha-response needs to be sent as part of your form request to your server-side scripts, to secure Captcha end-to-end. The server side script should send this code, to Google’s server’s to make re-check that Google sent the recaptcha approval within 2 minutes

You only need to do a couple of things to make your captcha secure

There are PHP and ASP.NET libraries already built and ready to download, to make life easier for you. I will not go over that here. I was looking at the proof of concept, bare minimum requirement to implement this system, regardless of your server-side scripting system. I, however, am using ASP.NET. So my server side code examples, will be in C# and MVC2 conventions.

Step 1. Goto Google and register a url, where the reCaptcha will be used.

Goto https://www.google.com/recaptcha/intro/v3.html and register for the SITE_KEY (cut and pasted into HTML) and SECRET_KEY (stored on server scripts, so they can send it back to Google, to double check the form submission passed CAPTCHA)

Then…

Then…

This is pretty obvious. If you can’t follow this step, you need to find another vocation or hobby.

Step 2. Change your HTML code.

<form action="..." method="...">
	...Bunch of input tags...
	<div class="g-recaptcha" data-sitekey="GOOGLE-SITE-KEY" data-callback="googlecheck"></div>
	<script>
	function googlecheck(responsecode) {
		document.getElementById("recaptcha_response_code").value = responsecode;
		document.getElementById("submitbutton").disabled = false;
	}
	</script>
	<script src='https://www.google.com/recaptcha/api.js'></script>
	<input type="hidden" name="recaptcha_response_code" id="recaptcha_response_code/" value="">
	<input type="submit" name="Submit" id="submitbutton" disabled value="Submit" >
</form>

And now you should get:

Step 3. Yes, you actually do need to do some server side scripting…

It’ll work, but if you leave out the recaptcha_response_code, some smart-ass is going to realize, your code doesn’t double check with Google that it was ever verified at all, and he’s going to bypass the browser to send you spam directly to your server-side script.

So now, you have to send the recaptcha_response_code in your form request and read it on the server, using your server-side scripting of choice. I don’t know PHP. But I do know ASP.NET and C#. And below is a C# class to send the response code to Google. And check the result. It’s an ugly ugly parser for the JSON formatted response, but I’m not painting the Mona Lisa here and don’t feel like upgrading my framework for what can be done in 15min of ugly code.

public class GoogleRecaptchaProxy
{
    public RecaptchaVerifyResult VerifyClientResult(string responsecode)
    {
        var url = getURL(responsecode);
        var response = getHttpGet(url);
        var result = new RecaptchaVerifyResult();
        result.ParseJson(response);
        return result;
    }

    string getURL(string responsecode) 
    {
        // https://www.google.com/recaptcha/api/siteverify?secret=------&response=------
            
        return string.Format("https://www.google.com/recaptcha/api/siteverify?secret={0}&response={1}", HttpUtility.UrlEncode(GoogleSecretCode), HttpUtility.UrlEncode(responsecode));
    }
    string getHttpGet(string url)
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
        using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
        using (Stream stream = response.GetResponseStream())
        using (StreamReader reader = new StreamReader(stream))
        {
            return reader.ReadToEnd();
        }
    }

    static public string GoogleSecretCode { get;set; }
        
}

public class RecaptchaVerifyResult
{
    //{
    //  "success": true,
    //  "challenge_ts": "2019-05-06T22:39:25Z",
    //  "hostname": "www.*.net"
    //}
    public bool Success;
    public DateTime ChallengeTime;
    public string Hostname;
    public string Raw;

    public bool ParseJson(string json) 
    {
        this.Raw = json;

        var successstart = json.IndexOf("\"success\": ");
        if (successstart >= 0)
        {
            successstart += "\"success\": ".Length;
            var successend = json.IndexOf(",", successstart);
            if (successend >= 0)
            {
                var timestampstart = json.IndexOf("\"challenge_ts\": \"", successend);
                if (timestampstart >= 0)
                {
                    timestampstart += "\"challenge_ts\": \"".Length;
                    var timestampend = json.IndexOf("\"", timestampstart);
                    if (timestampend >= 0)
                    {
                        var hostnamestart = json.IndexOf("\"hostname\": \"", timestampend);
                        if (hostnamestart >= 0)
                        {
                            hostnamestart += "\"hostname\": \"".Length;
                            var hostnameend = json.IndexOf("\"", hostnamestart);
                            if (hostnameend >= 0)
                            {
                                var success = json.Substring(successstart, successend - successstart);
                                var timestamp = json.Substring(timestampstart, timestampend - timestampstart);
                                var hostname = json.Substring(hostnamestart, hostnameend - hostnamestart);

                                if(!bool.TryParse(success, out this.Success))
                                    return false;
                                if(!DateTime.TryParse(timestamp, out this.ChallengeTime))
                                    return false;
                                this.Hostname = hostname;

                                return true;
                            }
                        }
                    }
                }
            }
        }

        return false;
    }
}

The intended usage is to set the GoogleRecaptchaProxy.GoogleSecretCode in the Global.asax, and read the value from the web.config file’s section. 

    public class MvcApplication : System.Web.HttpApplication
    {
        ...some methods...

        protected void Application_Start()
        {
            ...some code to run...
            var googlerecaptchacode = WebConfigurationManager.AppSettings["GoogleRecaptchaSecret"] as string;
            LazyRegistration.Models.GoogleRecaptchaProxy.GoogleSecretCode = googlerecaptchacode;
    }

The rest is obvious depending on whether you use MVC2 Controller syntax, or ASP.NET WebForms syntax.

Reference

  1. https://developers.google.com/recaptcha/docs/faq#localhost_support
  2. https://myfusionhelper.com/adding-google-recaptcha-infusionsoft-web-order-forms-reduce-spam/
  3. https://www.youtube.com/watch?v=XjN0j4JQqVI
  4. https://embed.plnkr.co/plunk/ZVc91T
  5. https://developers.google.com/recaptcha/old/docs/aspnet
  6. https://developers.google.com/recaptcha/docs/verify

Leave a Reply

Your email address will not be published. Required fields are marked *