Why captcha is not a CSRF protection

gistfile1.md

CAPTCHA consists of two bound values: challenge and response. Challenge is ID of Image. Challenge must not disclose anyhow what response is. Demo:

1. open http://www.google.com/recaptcha/learnmore
2. copy challenge value (c param from captcha )
3. solve captcha yourself and put your data in CSRF Tool http://homakov.github.io/#eyJ1cmwiOiJodHRwOi8vd3d3Lmdvb2dsZS5jb20vcmVjYXB0Y2hhL2RlbW8vIiwiYXV0b3N1Ym1pdCI6ZmFsc2UsInRhcmdldCI6Il90b3AiLCJkYXRhIjoicmVjYXB0Y2hhX2NoYWxsZW5nZV9maWVsZD0wM0FISl9WdXY0SlpxVWFncWl2MHlTdlhrbjlELW5QWW9QSDRCMDk3VlpObmZzSkpxYWZlcnVCZU5mRnJtQjNjQ0c0c29wNUNEWVc0ZUxkVVN0WGlCZl9TTm41UDNhYVJJNVpxX2sxUE0zN09ySWhvWXZMREdCdVNEazZFamUtVUVmeFYwZUxVckJ3dWNiZXZTdnVNckdvVi1LeHZCbm5vdkZQQVpfQ0hadG1NYnkxczdMYVpQY19UNCZyZWNhcHRjaGFfcmVzcG9uc2VfZmllbGQ9bmVjY2Vzc2FyeSUyMGRjdXJpbmNlJiIsIm1ldGhvZCI6IlBPU1QifQ==
4. As you can see CAPTCHA doesn't care about request's Origin. It is only a mitigation from automated requests and spam (although not perfect too, e.g. http://antigate.com/)

P.S. yes, challenge can be stored in the cookie but it will remain lame.

Isn't the "c param" a valid csrf-token? Wouldn't you have to use XSS to obtain this value to forge the request?

Isn't the "c param" a valid csrf-token? Wouldn't you have to use XSS to obtain this value to forge the request?

@TheRook no, c param means challenge, it is not stored in cookies and not tied to account. You can change it to your value

@TheRook no, c param means challenge, it is not stored in cookies and not tied to account. You can change it to your value