Solved: How to integrate reCAPTCHA Enterprise (frictionles...

aborge · 03-03-2023 05:06 AM

The example provided on reCAPTCHA Enterprise frictionless assessment, uses the following rule to detect an action on the login page and allows it:
request.path.matches(\"/login.html\") && token.recaptcha_action.score >= 0.8

However, is not clear if the request.path on the rule refers to a Front-End (website) route or a backend route. If it refers to the latter: What is needed to craft an equivalent rule for a GraphQL endpoint? on GraphQL there is a single path /graphql using always the POST method for all the actions.

Would be the rule below enough?
token.recaptcha_action.action === 'login' && token.recaptcha_action.score>= 0.8

What if an attacker decides to call directly to the API where reCAPTCHA Enterprise doesn't exists? Maybe I am missing some piece of information but I don't see how the tool would solve this problem for a GraphQL endpoint.

Any comment is greatly appreciated!

imtaher

The request.path in the Cloud Armor rule refers to the path of the request that is being made to your application. For a Front-End (website) route, the path would be something like /login.html, and for a backend route like a GraphQL endpoint, the path would be /graphql.

To create an equivalent rule for a GraphQL endpoint, you can use the request.path to match the path of your GraphQL endpoint and then check the recaptcha_action in the token to ensure that it has a score greater than or equal to the threshold you have set.

The rule you have provided, token.recaptcha_action.action === 'login' && token.recaptcha_action.score>= 0.8, should work for a GraphQL endpoint that requires authentication. However, keep in mind that if an attacker calls the API directly where reCAPTCHA Enterprise is not implemented, this rule would not provide any protection.

To protect your API from direct attacks, you may want to consider implementing other security measures, such as rate limiting, IP blocking, and/or authentication. You can use Cloud Armor to implement these measures as well, by creating rules that block requests from certain IP addresses or limit the number of requests from a single IP address within a certain time frame. This can help protect your API even if reCAPTCHA Enterprise is not present on all endpoints.

View solution in original post

Marvin_Lucero

Hi @aborge ,

@aborge wrote:

However, is not clear if the request.path on the rule refers to a Front-End (website) route or a backend route. If it refers to the latter

Technically, the rule request.path has to be done on the backend route, else it would expose your reCaptcha security policy.

You can follow these steps to configure the security policy for the backend service. I am not familiar how GraphQL works so I cannot really tell how to integrate it with reCaptcha Enterprise. But, I can recommend Apigee, and how it work with GraphQL. You can check this documentation for the steps and overview.

imtaher

The request.path in the Cloud Armor rule refers to the path of the request that is being made to your application. For a Front-End (website) route, the path would be something like /login.html, and for a backend route like a GraphQL endpoint, the path would be /graphql.

To create an equivalent rule for a GraphQL endpoint, you can use the request.path to match the path of your GraphQL endpoint and then check the recaptcha_action in the token to ensure that it has a score greater than or equal to the threshold you have set.

The rule you have provided, token.recaptcha_action.action === 'login' && token.recaptcha_action.score>= 0.8, should work for a GraphQL endpoint that requires authentication. However, keep in mind that if an attacker calls the API directly where reCAPTCHA Enterprise is not implemented, this rule would not provide any protection.

To protect your API from direct attacks, you may want to consider implementing other security measures, such as rate limiting, IP blocking, and/or authentication. You can use Cloud Armor to implement these measures as well, by creating rules that block requests from certain IP addresses or limit the number of requests from a single IP address within a certain time frame. This can help protect your API even if reCAPTCHA Enterprise is not present on all endpoints.

aborge

@Marvin_Lucero Thanks for your reply, I understand the rule should be added on a Load Balancer Backend-End service, I just wasn't sure about to what route (Back-end or Front-end) the request.path property was referring. But @imtaher has clarified that in this particulcar the request.path property refers to the /graphql route of my API.

@imtaher Thanks for the help, I was hoping to avoid the attacks hitting directly to my API by stopping them with Cloud Armor, but it seems I'll need to involve my API to create an assessment, interpret the score, understand the level of risk and response accordingly as described in this guide: https://cloud.google.com/recaptcha-enterprise/docs/create-assessment#node.js

On GraphQL the request body contains information about which action is being executed, my initial thought was to leverage this fact. But unfortunately, the request.body is not a property listed on the available attributes to read from a security rule: https://cloud.google.com/armor/docs/rules-language-reference#attributes

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

How to integrate reCAPTCHA Enterprise (frictionless assessment) with Cloud Armor using GraphQL