问题
We're running Atomic Secured Linux, and it's been catching posts that are sending NULL bytes in the recaptcha_response_field. The posts in question are definitely spammy, but the only field that gets null bytes is "recaptcha_response_field". In particular, the following is present twice in the POST body:
recaptcha_response_field=%00%00%00%00%00%00%00%00
I'm wondering if this is a known attack against recaptcha, or otherwise a known method of compromising web servers. And if so, what it's intended to do.
回答1:
I dont think so, at least not at recaptcha backend. Google takes security seriously, especially with public services. So your recaptcha implementation, which communicates with google backend might be attackable, but I still don't think so.
Just try it. Log each attempt and you'll see if the NULL ones have succeed.
来源:https://stackoverflow.com/questions/13123469/can-recaptcha-be-bypassed-by-sending-null-bytes