when adding captcha component user could manipulate the captcha values as per the below .Could you please provide more inputs as how this could be avoid so that captcha value comes from server instead of UI value
< sling:include path="<%= captchaPath %>" resourceType="foundation/components/form/captcha" replaceSelectors="captcha"/>
when user feeds data on captcha input then the below is called for validation
Then internally call /libs/foundation/components/form/captcha/captchavalidation.png.jsp
here we see that user can input is valid on the :cq:captchakey .Using browser technique we could edit the value of key and then it validate only against that.
So the cq:captchakey can be manipulated as it does not come from server
String captchakey = slingRequest.getParameter("id"); -> This is the value coming from browser input if I am correct
String captchaUserValue=slingRequest.getParameter("captchaUserValue");
String captchacurrent = (Text.md5("" + (captchakey + mins))).substring(1, 6);
String captchaold = (Text.md5("" + (captchakey + minsold))).substring(1, 6);
