Create a gist now

Instantly share code, notes, and snippets.

Why captcha is not a CSRF protection

CAPTCHA consists of two bound values: challenge and response. Challenge is ID of Image. Challenge must not disclose anyhow what response is. Demo:

  1. open http://www.google.com/recaptcha/learnmore
  2. copy challenge value (c param from captcha )
  3. solve captcha yourself and put your data in CSRF Tool http://homakov.github.io/#eyJ1cmwiOiJodHRwOi8vd3d3Lmdvb2dsZS5jb20vcmVjYXB0Y2hhL2RlbW8vIiwiYXV0b3N1Ym1pdCI6ZmFsc2UsInRhcmdldCI6Il90b3AiLCJkYXRhIjoicmVjYXB0Y2hhX2NoYWxsZW5nZV9maWVsZD0wM0FISl9WdXY0SlpxVWFncWl2MHlTdlhrbjlELW5QWW9QSDRCMDk3VlpObmZzSkpxYWZlcnVCZU5mRnJtQjNjQ0c0c29wNUNEWVc0ZUxkVVN0WGlCZl9TTm41UDNhYVJJNVpxX2sxUE0zN09ySWhvWXZMREdCdVNEazZFamUtVUVmeFYwZUxVckJ3dWNiZXZTdnVNckdvVi1LeHZCbm5vdkZQQVpfQ0hadG1NYnkxczdMYVpQY19UNCZyZWNhcHRjaGFfcmVzcG9uc2VfZmllbGQ9bmVjY2Vzc2FyeSUyMGRjdXJpbmNlJiIsIm1ldGhvZCI6IlBPU1QifQ==
  4. As you can see CAPTCHA doesn't care about request's Origin. It is only a mitigation from automated requests and spam (although not perfect too, e.g. http://antigate.com/)

P.S. yes, challenge can be stored in the cookie but it will remain lame.

@TheRook
TheRook commented May 20, 2013

Isn't the "c param" a valid csrf-token? Wouldn't you have to use XSS to obtain this value to forge the request?

@homakov
Owner
homakov commented Aug 14, 2013

@therook no, c param means challenge, it is not stored in cookies and not tied to account. You can change it to your value

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment