Turnstile / reCaptcha random token trigger OWASP


We have a simple Ajax call to our server with turnstile widget inside.

Randomly, generated tokens seams to generate false-positive triggering OWASP rules.

In our case rule 949110 with following OAWSP Code Ruleset :

  • 920272
  • 920273
  • 920274
  • 933120
  • 942200
  • 942260
  • 942340
  • 942370
  • 942440
  • 942490
  • 942420
  • 942431
  • 942421
  • 942432

Ray ID : 84aeacba495f0dac

Same deal with Google reCaptcha as it use random generated tokens.

What’s the best way to handle this kind of FP ? Our Paranoia level is I think at lvl-2.

It’s kind of counterintuitive to be blocked by our anti-bots system.

Thank you in advance for your analysis.

Best regards.

Ok small update.

We found a workaround that seems to be functionnal, simply replace triggered characters (could be _ or -, etc.) with some text then “decode” the token, reconstruct it from server before checking the validity of the recaptcha.

This way OWASP is not trigerred by the Turnstile / reCaptcha token.

Let me know if you have some insights on this case.


Best regards.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.