Can Google Re-Captcha 2 prevent CSRF attacks?

Asked 16/9, 2015 at 3:54 Answered 16/9, 2015 at 14:18

Solved security csrf csrf-protection recaptcha

A Cross-Site Request Forgery attack rides on the victim's session to submit malicious requests to a trusted site. The Cheat Sheet here describes CAPTCHA as a good way to prevent CSRF attacks.

As we know, Google Re-Captcha is effective in preventing bot spamming. After it has been clicked several times at the location with the same IP address, it requires a human to solve a pictures puzzle. Since the first few attempts are simply 'free', is it possible for a hacker to bypass it by initiating clicking on the Re-Captcha figure at the first few attempts?

Spiritless answered 16/9, 2015 at 3:54 Comment(0)

As the OWASP cheat sheet mentions, CAPTCHAs can be used as a way to defeat CSRF.

However, you've got me thinking. Maybe if an attacker combined a Clickjacking attack on the Google Recaptcha2 widget with a follow up from a CSRF attack on a page protected with Recaptcha2 for CSRF defense, then maybe this could work to the attacker's favour.

Update:

Having thought about this, the way that Recaptcha2 works is to return a value signed by a private key that can be checked server side. This requires the CAPTCHA displayed on the current form to be clicked, even if there's nothing to be solved. Therefore Recapcha2 should defend against CSRF. However, make sure that your hosting page has protection from Clickjacking too.

Prehuman answered 16/9, 2015 at 14:18 Comment(1)

Interesting. I had hoped that someone could give me a definite answer to my question but you did bring out a potential issue. – Spiritless 17/9, 2015 at 5:3

Captcha stands for brute-force attacks but yes, it prevents CSRF attacks as well. Since the attack can not KNOW what is correct captcha value, it is impossible to fill form with valid captcha value.

Since usability is important you just can NOT ask users to solve captchas on every single request. Therefore csrf_token mechanism is used by default from frameworks.

Gemperle answered 16/9, 2015 at 12:59 Comment(4)

I intend to use a Captcha for each of my forms with file uploads because I want to prevent spamming. Anyway, have you seen Google Recaptcha 2 in action? It does not require the user to solve a puzzle during the first few submissions. – Spiritless 17/9, 2015 at 5:8

Captcha stands for brute-force attacks Can't agree since we've made a brute force automation to break it. – Toadinthehole 17/9, 2015 at 8:33

Spamming and CSRF are totally different issues. Attack may do spamming attack even if you implement CSRF protection. Also Google Recaptcha does not require the captcha solve on first visit because of google already know some information about you. Try it with incognito mode, you will see. – Gemperle 17/9, 2015 at 8:34

but using the invisible recaptcha can makes it user friendly as the user does not need to solve recaptchas on every request – Olds 20/9, 2019 at 6:13

Update:

Recommended topics

Hot tags