Snaptcha
ExpressionEngine 2, ExpressionEngine 3, ExpressionEngine 4, ExpressionEngine 5, ExpressionEngine 6
Back to this add-on's main page
View Other Add-ons From Brian Litzinger
Bypassing form with POST sumissions
Support Request
psalms4u
|
Posted: 24 December 2019 09:25 AM |
|
|
|
We have been using snaptcha for years and it completely stopped spam account creation. However, we have lately been the victim of stolen credit card validation attempts through our subscription system. Their method is to have a human sign up for a subscription, then capture all of the http POST headers and then alter and resubmit them using a script. They do not submit the form itself, they only submit the data to the form page (which is set in the action attribute of the form). Snaptcha did not stop the submission of 6000+ subscriptions using stolen credit card data. It is set at security level 3. Is this a known weakness of snaptcha or what is happening? Please advise.
|
|
|
PutYourLightsOn
|
Posted: 24 December 2019 09:44 AM |
# 1
|
|
|
Sorry to hear that. Which form add-on is being used to process paid subscriptions?
|
|
|
psalms4u
|
Posted: 24 December 2019 10:00 AM |
# 2
|
|
|
We are using Membrr. However, my main question is this: Since snaptcha loads with javascript and is triggered on form submission, if I just follow the process described above and post an http submission straight back to the form, snaptcha can’t stop that reception of http data correct? In other words, once a human has submitted the form validly, those captured headers (and any alteration made to the data in them) can keep being resubmitted, thereby bypassing snaptcha. Is that correct?
|
|
|
|