In the "User Interaction-Based CSRF Defense" section it is stated that CAPTCHA is one way to protect against CSRF and that it is a strong protection. While this might be true in some cases, that is not always the case. CAPTCHA is designed primarily to protect against online bots submitting bogus data to a site en masse. As such even if it is designed in a way that would stop CSRF attack that would be more of a side effect rather than achieved goal. There are implementations where the captcha validation is not tied to any user session and it is still a valid bot protection. The attacker could generate valid response/challenge from wherever.
How should this be resolved?
We should at least state that not all CAPTCHA implementations protect against CSRF and even if they do, that protection might be broken in future updates as its goal is different and providers of CAPTCHA do not take CSRF into consideration, all they want to make sure is that a human interaction has occurred. A determined attacker can potentially satisfy this requirement without having any access to the user session in some completely valid CAPTCHA implementations.
What is missing or needs to be updated?
In the "User Interaction-Based CSRF Defense" section it is stated that CAPTCHA is one way to protect against CSRF and that it is a strong protection. While this might be true in some cases, that is not always the case. CAPTCHA is designed primarily to protect against online bots submitting bogus data to a site en masse. As such even if it is designed in a way that would stop CSRF attack that would be more of a side effect rather than achieved goal. There are implementations where the captcha validation is not tied to any user session and it is still a valid bot protection. The attacker could generate valid response/challenge from wherever.
How should this be resolved?
We should at least state that not all CAPTCHA implementations protect against CSRF and even if they do, that protection might be broken in future updates as its goal is different and providers of CAPTCHA do not take CSRF into consideration, all they want to make sure is that a human interaction has occurred. A determined attacker can potentially satisfy this requirement without having any access to the user session in some completely valid CAPTCHA implementations.