2

I was trying to sign-up Twitter today and I noticed that their registration form does not have a captcha. The form URL is https://twitter.com/signup. I also noticed that they used an input like below.

<input name="authenticity_token" type="hidden" value="ce803cee65a96aaa97bdf75da166599c3adc9ec8" />

what kind of method is this?

Do they create a temp value in their database when a user access the registration form? and check it when a user submit the form?

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
Moon
  • 22,195
  • 68
  • 188
  • 269
  • It's called CSRF protection, and has nothing to do with captchas. We can mimic the user behavior and signup remotely by dispatching two consequent HTTP requests: Scraping the token from the former one's result and merging it with the POST data of the later. – sepehr Sep 01 '12 at 06:20

2 Answers2

3

authenticity_token is a feature of Ruby-on-Rails, in which Twitter is written.
See this question.

Community
  • 1
  • 1
Alex K.
  • 171,639
  • 30
  • 264
  • 288
2

I can't say for certain, but I do know that some people have used Javascript to do stuff dynamically, ie, set a hidden input to some random but expected value. This works off the assumption that most automated clients won't be parsing Javascript.

Matthew Scharley
  • 127,823
  • 52
  • 194
  • 222