Which will be processed by the web application and the attacker will be granted access. Given that the reCAPTCHA API uses the first one, the response to this request is always: HTTP/1.1 200 OKĬontent-Type: application/json charset=utf-8 Note that the request contains two secret parameters, the first one is controlled by the attacker (due to the HTTP parameter pollution in the vulnerable web application) and the second one is controlled by the application itself. Recaptcha-response=anything&secret=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe&secret=6LeYIbsSAAAAAJezaIq3Ft_hSTo0YtyeFG-JgRtu Host: Content-Type: application/x-www-form-urlencoded When the attack requirements are met, the following HTTP request is sent by the web application to the reCAPTCHA API: POST /recaptcha/api/siteverify HTTP/1.1
This HTTP request will look like: POST /verify-recaptcha-response HTTP/1.1
The user solves the CAPTCHA and clicks “Verify”, which will trigger an HTTP request to the web application.
When the web application wants to challenge the user, Google provides an image set and uses JavaScript code to show them in the browser as follows: The following introduction is for the use case where the vulnerability was found. reCAPTCHA is a complex beast with a lot of use cases: sometimes it will trust you based on your existing cookies, sometimes it will require you to solve multiple challenges. ReCAPTCHA is a Google service that allows web application developers to add a CAPTCHA to their site with minimal effort. The security issue was fixed “upstream” at Google’s reCAPTCHA API and no modifications are required to your web applications. The bypass required the web application using reCAPTCHA to craft the request to /recaptcha/api/siteverify in an insecure way but when this situation occurred the attacker was able to bypass the protection every time. I reported a reCAPTCHA bypass to Google in late January.