0

INTRODUCTION

I'm trying to make an API that solves RECAPTCHAs, but the token is only valid once and only for two minutes since generated, as explained here official documentation recaptcha. So my question is the following: how are CAPTCHA solvers like 2captcha able to solve the captcha, get the token and then send it to you, and you are still able to use it?

WHAT I DO

Here are the steps I follow:

  1. I solve a RECAPTCHA on the following site recaptcha demo

  2. I get the token, for example 03AGdBq26i2ugKCS8sJVpYZqnHnQgqTr2vM_lmZF3XuinqdmD-bP9WbnxSF8R7zOiMvVwKQiOonrJVApECHGz2VAurRGQLIM5W7Jb6kl60-x-_F1Krk8HrXkGcS4WirrLQtBHpoi2wZB0HQ_Ok-2X2uOU5zUXc9xLO5QVWyp8TSx2RJCfT4flmfVk1NMPEHTWHCCHUAIicewKiZPokmmd2tnLamlo57FKpX1Fp2apad_pSsmlrphWC8O6tQGxkAjU_trEdg0xRTsmbRD3AkCuqdgqkxQFTsIYeqISkaXqc71HWy-L3AmK1hL8T6LZ3pLDfOyGDhyafSNMGqO5zePaAJMf7yvFnTlTlYe-fLwc3VXUkNQ67ML39hzXD2beW38aPLxtt7EovVFHmIBIbsAMAsR9qpQxqtPofTObj_5-oAwfQKuoO-rUg8ODCqLoORhqVQ_bkffvMHQWxXSLX7KtQ1tqpimD4tXFAz_3R_nX12UX_ngb27jBPKgpfkET4FcOFFSSWgr1PIpsAW_97QcYOTHc3tlziuiWL5Okim_7lFkZxBINK1H0pDUA

  3. I insert the token in another captcha on another browser, but on the same site recaptcha demo

  4. I get the following error

     POST data array ( 'ex-a' => 'foo', 'ex-b' => 'bar', 'g-recaptcha-response' => '03AGdBq246H-d9zX9ORfE9Zwo7kUKQc50pm7qCKrjuguuU2RXUvRYyxitgIEtNpuTSZqzMAGAYPMpTMRy-NMeftr0zpT3fdaBmVzM8hhGxJ_RxoCpJ-aHSyTdudVHZPYFPAmDftU8WqBApcIA7SLETGMWfKcvy0sugs48J7-CBbryPg4Ckd-tOQnP5pvyfu5ehhIkav4jaaGj6ToXSsVCa35iPy78csRYyXiexgaeyv-bLaCDaGpfb9RXwu2Xmkrlb7fiW-wbRTiYMOWAPm3mu1sMFIBQ9OULD9TxjJS_Gm8QI0S-1UXutya3z-IUPf_KydAXzpkLYStO0hz8wbGlWQ_5OlSuL0EsCCf87broPdVXvwil5U-BFIi55vSgdZ5bHDeYobBxEdV-RcvEYLK3hh19zyomWr3o-VaiS0_5TRVhYY74z1gNA3UpRvLDkLP50Nvbc-roKAps10NhrTQfoMedxMkgaMuwd6Y7zToFhBlT128b6Vir8zNWFucoB5mSdI0OpazuKT0okfln6Otx70NOQUkOxFqkEEsoJtYxxvwPSeOYq39dAqY5rfs8xkZ6ivgZEZDflUpYS', ) Something went wrong ReCaptcha\Response::__set_state(array( 'success' => false, 'errorCodes' => array ( 0 => 'timeout-or-duplicate', 1 => 'hostname-mismatch', ), 'hostname' => NULL, 'challengeTs' => NULL, 'apkPackageName' => NULL, 'score' => NULL, 'action' => NULL, )) Check the error code reference at https://developers.google.com/recaptcha/docs/verify#error-code-reference.

That means that the token has already been used once, as explained in official documentation recaptcha.

COMMENTS, OBSERVATIONS

  • So it must be that services like 2captcha can solve the RECAPTCHA without really submitting it, so the token doesn't get used
  • I tried to sniff the http traffic while solving manually a RECAPTCHA in the site recaptcha demo (using fiddler). I was surprised I didn't see http traffic with the gcaptcha response (or token) a part from the POST request that I sent to the site. Is the gcaptcha response maybe created in the pc client-side (like in my pc)?
  • If you want more details regarding the steps to solve the RECAPTCHA and to pass the token to the other browser, see my answer where I describe everything under the steps headline.
selenio34
  • 92
  • 1
  • 9
  • 1
    Are you asking how are they able to not submit the form? They just don't submit the form. – pguardiario Jul 26 '21 at 06:04
  • Hi @pguardiario I'm asking how it is possible that they are able to get the g-captcha-response and at the same time not submitting the captcha, so that the token/g-captcha-response doesn't get used. Maybe I'm doing something wrong, but even if I solve the captcha, I can't get the token/g-captcha-response without submitting the captcha, and once I submit the captcha and I get the token, the token is obviously invalid. – selenio34 Jul 26 '21 at 17:46
  • 1
    The token comes from the google api when you solve it. Then it gets sent with the form to be validated on the backend. If you don't send it with the form, it will be valid for 2 minutes. – pguardiario Jul 27 '21 at 00:52
  • @pguardiario ok thanks, your comment made me search better for the token in the google dev console and now I know where to find it before submitting the form. I thought the token wasn't sent to you until you submit the form, but I was wrong. If you want to, put it as an answer so I can upvote you/mark it as the answer. – selenio34 Jul 27 '21 at 15:49

0 Answers0