In a web application there is a form with a google captcha. The form is used for user’s vinculation.
So, in order to allow the vinculation the client needs to past the captcha, but once the captcha is correct it’s possible to intercept the request(this request doesn’t have captcha information) and send it multiple times modifying the data without any problem.
The question is, should the requests be rejected because they don’t have captcha information even for the first request was neccesary to complet it?
The form is a signup? You’re binding an user to what? What did you mean when you said “vinculation”?
When you sent the data multiple times it creates multiple resources on the client? (Or new users?)
The form is used for sending client information to the company, after the form is sent they start a specific process with that client.
Sorry, with “vinculation” I tried to say a kind of enrolling process.
And every time that I send the data, the web application responds with a message that said, “the data are OK and the specific process will start”, but I don’t know and I am not able to confirm is that data was created or not in the company databases.
The if they only check the captcha once then is a misconfiguration, it should ask for the captcha token for every request. You can report it and set thrust level as reasonable because you don’t know if that data is truly saved on the DB.