2

I was trying to sign-up Twitter today and I noticed that their registration form does not have a captcha. The form URL is https://twitter.com/signup. I also noticed that they used an input like below.

<input name="authenticity_token" type="hidden" value="ce803cee65a96aaa97bdf75da166599c3adc9ec8" />

what kind of method is this?

Do they create a temp value in their database when a user access the registration form? and check it when a user submit the form?

Joel Coehoorn
  • 362,140
  • 107
  • 528
  • 764
Moon
  • 20,835
  • 65
  • 174
  • 263
  • It's called CSRF protection, and has nothing to do with captchas. We can mimic the user behavior and signup remotely by dispatching two consequent HTTP requests: Scraping the token from the former one's result and merging it with the POST data of the later. – sepehr Sep 01 '12 at 06:20

2 Answers2

3

authenticity_token is a feature of Ruby-on-Rails, in which Twitter is written.
See this question.

Community
  • 1
  • 1
Alex K.
  • 159,548
  • 29
  • 245
  • 267
2

I can't say for certain, but I do know that some people have used Javascript to do stuff dynamically, ie, set a hidden input to some random but expected value. This works off the assumption that most automated clients won't be parsing Javascript.

Matthew Scharley
  • 115,776
  • 51
  • 189
  • 215