2

I was trying to sign-up Twitter today and I noticed that their registration form does not have a captcha. The form URL is https://twitter.com/signup. I also noticed that they used an input like below.

<input name="authenticity_token" type="hidden" value="ce803cee65a96aaa97bdf75da166599c3adc9ec8" />

what kind of method is this?

Do they create a temp value in their database when a user access the registration form? and check it when a user submit the form?

Joel Coehoorn
  • 380,066
  • 110
  • 546
  • 781
Moon
  • 21,617
  • 67
  • 181
  • 267
  • It's called CSRF protection, and has nothing to do with captchas. We can mimic the user behavior and signup remotely by dispatching two consequent HTTP requests: Scraping the token from the former one's result and merging it with the POST data of the later. – sepehr Sep 01 '12 at 06:20

2 Answers2

3

authenticity_token is a feature of Ruby-on-Rails, in which Twitter is written.
See this question.

Community
  • 1
  • 1
Alex K.
  • 165,803
  • 30
  • 257
  • 277
2

I can't say for certain, but I do know that some people have used Javascript to do stuff dynamically, ie, set a hidden input to some random but expected value. This works off the assumption that most automated clients won't be parsing Javascript.

Matthew Scharley
  • 121,977
  • 51
  • 194
  • 218