Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Why captcha is not a CSRF protection

CAPTCHA consists of two bound values: challenge and response. Challenge is ID of Image. Challenge must not disclose anyhow what response is. Demo:

  1. open http://www.google.com/recaptcha/learnmore
  2. copy challenge value (c param from captcha )
  3. solve captcha yourself and put your data in CSRF Tool http://homakov.github.io/#eyJ1cmwiOiJodHRwOi8vd3d3Lmdvb2dsZS5jb20vcmVjYXB0Y2hhL2RlbW8vIiwiYXV0b3N1Ym1pdCI6ZmFsc2UsInRhcmdldCI6Il90b3AiLCJkYXRhIjoicmVjYXB0Y2hhX2NoYWxsZW5nZV9maWVsZD0wM0FISl9WdXY0SlpxVWFncWl2MHlTdlhrbjlELW5QWW9QSDRCMDk3VlpObmZzSkpxYWZlcnVCZU5mRnJtQjNjQ0c0c29wNUNEWVc0ZUxkVVN0WGlCZl9TTm41UDNhYVJJNVpxX2sxUE0zN09ySWhvWXZMREdCdVNEazZFamUtVUVmeFYwZUxVckJ3dWNiZXZTdnVNckdvVi1LeHZCbm5vdkZQQVpfQ0hadG1NYnkxczdMYVpQY19UNCZyZWNhcHRjaGFfcmVzcG9uc2VfZmllbGQ9bmVjY2Vzc2FyeSUyMGRjdXJpbmNlJiIsIm1ldGhvZCI6IlBPU1QifQ==
  4. As you can see CAPTCHA doesn't care about request's Origin. It is only a mitigation from automated requests and spam (although not perfect too, e.g. http://antigate.com/)

P.S. yes, challenge can be stored in the cookie but it will remain lame.

@TheRook

This comment has been minimized.

Show comment Hide comment
@TheRook

TheRook May 20, 2013

Isn't the "c param" a valid csrf-token? Wouldn't you have to use XSS to obtain this value to forge the request?

TheRook commented May 20, 2013

Isn't the "c param" a valid csrf-token? Wouldn't you have to use XSS to obtain this value to forge the request?

@homakov

This comment has been minimized.

Show comment Hide comment
@homakov

homakov Aug 14, 2013

@TheRook no, c param means challenge, it is not stored in cookies and not tied to account. You can change it to your value

Owner

homakov commented Aug 14, 2013

@TheRook no, c param means challenge, it is not stored in cookies and not tied to account. You can change it to your value

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment