You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The README implementation may not provide the anti-bot guarantees necessary.
Someone who's writing a bot would only have to request one captcha and find its solution. Once the attacker finds the solution, so long as they never request another captcha, they can continuously send the same solution over and over. There is nothing to force the attacker to request a new captcha and regenerate the solution, especially if the attacker doesn't use a browser (and therefore doesn't automatically load the image)
I understand it's just README sample code, but I would recommend leaving a note on the README that suggests people don't blindly copy-and-paste and throw it into production.
A solution is could be as easy as invalidating the session once a user tries to answer/respond to the captcha
The text was updated successfully, but these errors were encountered:
Hello!
The README implementation may not provide the anti-bot guarantees necessary.
Someone who's writing a bot would only have to request one captcha and find its solution. Once the attacker finds the solution, so long as they never request another captcha, they can continuously send the same solution over and over. There is nothing to force the attacker to request a new captcha and regenerate the solution, especially if the attacker doesn't use a browser (and therefore doesn't automatically load the image)
I understand it's just README sample code, but I would recommend leaving a note on the README that suggests people don't blindly copy-and-paste and throw it into production.
A solution is could be as easy as invalidating the session once a user tries to answer/respond to the captcha
The text was updated successfully, but these errors were encountered: