easoncxz
commented
3 years ago Visit the login page, and do the captcha:
Click submit, which I set up to send the POST request to an http-echo-server:
Copy the "response", and put it in a curl command, together with my secret key:
$ curl -i -X POST \
-d 'secret=private-api-key&response=the-big-long-string-from-the-echoed-page' \
https://www.google.com/recaptcha/api/siteverify
HTTP/2 200
content-type: application/json; charset=utf-8
date: Fri, 09 Oct 2020 23:03:11 GMT
expires: Fri, 09 Oct 2020 23:03:11 GMT
cache-control: private, max-age=0
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
x-xss-protection: 1; mode=block
server: GSE
alt-svc: h3-Q050=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
accept-ranges: none
vary: Accept-Encoding
{
"success": true,
"challenge_ts": "2020-10-09T23:02:56Z",
"hostname": "localhost"
}
People are going to abuse this page and wipe out my OAuth-login request rate limits.
reCaptcha architecture