user1351196 user1351196 - 1 month ago 16
HTML Question

Is my HTML form at risk?

I have a HTML form that allows users to register for my website, I recently installed reCAPTCHA onto the webpage to stop automated registration, Today someone said they think your register is at risk of a csrf attack. I'm not much of a coder or anything i just run a few small websites so i looked it up but all the examples are for things such as website actions but the only thing my form does is enter the input into the database. Is my form at risk?
If i am at risk would a simple token stop this from happening?

I could not post the code here so the form code is at http://pastebin.com/rLxAAMFQ

Jon Jon
Answer

If your server-side code always demands a valid CAPTCHA (which it should) then there is absolutely no risk here. The CAPTCHA serves double duty as an anti-CSRF token as well.

CSRF attacks revolve around the fact that the attacker knows ahead of time how to construct a request that will be deemed valid if sent by the victim. Obviously they cannot predict ahead of time what the captcha will be, otherwise we 'd all be out in the streets killing spambots by now.