Strategies and scenarios of CSRF attacks against the CAPTCHA forms

In this article, we’ve tried to examine the hypothesis of the robustness of a form by using CAPTCHA against CSRF and login CSRF attacks. Our investigations showed that unlike public opinion, common attacks to bypass CAPTCHAs such as Optical Character Recognition (OCR) and 3rd party human attacks are not applicable in the CSRF case and instead, Clickjacking is the most important scenario of CSRF and login CSRF attacks against a secure session-dependent CAPTCHA form. Remember that the Clickjacking is also applicable to bypass the well-known CSRF protections, such as the secret token and the Referer header. Therefore, although the frequent application of CAPTCHA on every page of a website negatively impacts the user experience, but the robustness of a robust session-dependent CAPTCHA against the CSRF and login CSRF attacks is almost the same as the session-dependent security token. Moreover, when a website is using a session-independent or week pattern of CAPTCHA, attackers can bypass the CAPTCHAs and launch the CSRF or login CSRF attacks by using XSS, session hijacking, replay attacks or submitting a random response.