[Security] Bypassing captcha by removing form fields

[JanStorm]

Its possible to just remove the captcha input field "name-recaptcha-id" (e.g. kontakt-recaptcha-1) via inspector or something to bypass recaptcha check. With this missing input field, the "recaptcha-token" is not processed. (Which can be removed by user, too!)
So an attacker could easily spam the form again.

When checking if we have to process recaptcha-token, you should not believe the "name-recaptcha-id" field, instead there has to be something server-side which knows whether there was a captcha displayed or not.

[garbast]

Feel free to submit a PR with a solution for this.

[GerDner]

We have the same Problem. I think we will look into this and provide a PR if we can confirm the problem. We currently have problems with spam + recaptcha.

[garbast]

I cant reproduce the problem.

By removing the following fields either both or one of them, the validation still does kick in and redirects to the website.
tx_form_formframework[test-19][recaptcha-1]
<textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>

I testet on TYPO3 11.1 with recaptcha 11.0.0. The same validation logic is used in 10.4, so i asume that the behaviour is the same.

[ulbrich-media]

We encountered the same problem, but on an old TYPO3 running on 8.7.x with recaptcha 8.5.0. I did not test this on a current TYPO3 or recaptcha, but it seems like this is an issue with some older versions of this extension. Where there some bigger changes between these version that maybe prevent this?