Skip to main content

I have a web page with Google reCaptchav3. It allows to input an ID number, click a button and requests from database some results. If a user input an ID number and click the button, then it generates one reCaptcha token.

An ethical hacker is requesting a LIST of ID numbers with just one token and implies to me that I should program my web page in order to prevent that.

How could I prevent or avoid in my web page that a bot or hacker input a list of ID numbers using only one token? Honestly, I thought that was Google reCaptcha job. Thanks.

 

Hello @jbeteta,


Welcome to Google Cloud Community!


Unfortunately, reCaptcha v3 doesn't interrupt users. As recommended, you can add reCaptcha v3 to multiple pages so adaptive risk analysis engine can identify the pattern of attackers more accurately by looking at the activities on different pages of your website. 


Since reCaptcha v3 returns a score, you can use this in three potential ways:
1. You can set a threshold to determine if a user lets through or a verification is needed like using two-factor authentication and phone verification
2. Combine the score with your own signals that reCaptcha can't access like transaction history or user profile
3. Use the reCaptcha score as one of the signals to fight abuse


If this would not suffice, it would be best to contact support for reCaptcha Enterprise.
Additional info:
reCaptcha Help
reCaptch v3 Developer site

Thanks for your answer

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.