CAPTCHA consists of two bound values: challenge and response. Challenge is ID of Image. Challenge must not disclose anyhow what response is. Demo:
- open http://www.google.com/recaptcha/learnmore
- copy challenge value (c param from captcha
)
- solve captcha yourself and put your data in CSRF Tool http://homakov.github.io/#eyJ1cmwiOiJodHRwOi8vd3d3Lmdvb2dsZS5jb20vcmVjYXB0Y2hhL2RlbW8vIiwiYXV0b3N1Ym1pdCI6ZmFsc2UsInRhcmdldCI6Il90b3AiLCJkYXRhIjoicmVjYXB0Y2hhX2NoYWxsZW5nZV9maWVsZD0wM0FISl9WdXY0SlpxVWFncWl2MHlTdlhrbjlELW5QWW9QSDRCMDk3VlpObmZzSkpxYWZlcnVCZU5mRnJtQjNjQ0c0c29wNUNEWVc0ZUxkVVN0WGlCZl9TTm41UDNhYVJJNVpxX2sxUE0zN09ySWhvWXZMREdCdVNEazZFamUtVUVmeFYwZUxVckJ3dWNiZXZTdnVNckdvVi1LeHZCbm5vdkZQQVpfQ0hadG1NYnkxczdMYVpQY19UNCZyZWNhcHRjaGFfcmVzcG9uc2VfZmllbGQ9bmVjY2Vzc2FyeSUyMGRjdXJpbmNlJiIsIm1ldGhvZCI6IlBPU1QifQ==
- As you can see CAPTCHA doesn't care about request's Origin. It is only a mitigation from automated requests and spam (although not perfect too, e.g. http://antigate.com/)
P.S. yes, challenge can be stored in the cookie but it will remain lame.
Isn't the "c param" a valid csrf-token? Wouldn't you have to use XSS to obtain this value to forge the request?