You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An attacker doesn't even have to use javascript for submits, they can just use _hash once to figure out one matching pair of values, and then pass that into whatever app to keep making POST requests.
Even if the hash was calculated & salted server-side and the captcha was also generated server-side, there's still the absurd fact that the captcha text is presented as a series of predictable, easy-to-interpret, plaintext asterisk characters!
I'm sorry, but this entire plugin is laughable.
The text was updated successfully, but these errors were encountered:
I just exploited a site that was using this project, took less than 5 minutes to figure it out, now I saw this issue from 4 years ago, I wonder why someone would still use it nowadays. Hahaha.
Because the hash is calculated client-side, it's incredibly easy to automate form entry on any form using this by simply filling out the hash field:
An attacker doesn't even have to use javascript for submits, they can just use _hash once to figure out one matching pair of values, and then pass that into whatever app to keep making POST requests.
Even if the hash was calculated & salted server-side and the captcha was also generated server-side, there's still the absurd fact that the captcha text is presented as a series of predictable, easy-to-interpret, plaintext asterisk characters!
I'm sorry, but this entire plugin is laughable.
The text was updated successfully, but these errors were encountered: