jmanico
commented
4 months ago AGREED
Closed todorm85 closed 4 months ago
jmanico
commented
4 months ago AGREED
mackowski
commented
4 months ago agree, @todorm85 do you want to make a PR that fix this
todorm85
commented
4 months ago Yes, I will make a PR
What is missing or needs to be updated?
In the "User Interaction-Based CSRF Defense" section it is stated that CAPTCHA is one way to protect against CSRF and that it is a strong protection. While this might be true in some cases, that is not always the case. CAPTCHA is designed primarily to protect against online bots submitting bogus data to a site en masse. As such even if it is designed in a way that would stop CSRF attack that would be more of a side effect rather than achieved goal. There are implementations where the captcha validation is not tied to any user session and it is still a valid bot protection. The attacker could generate valid response/challenge from wherever.
How should this be resolved?
We should at least state that not all CAPTCHA implementations protect against CSRF and even if they do, that protection might be broken in future updates as its goal is different and providers of CAPTCHA do not take CSRF into consideration, all they want to make sure is that a human interaction has occurred. A determined attacker can potentially satisfy this requirement without having any access to the user session in some completely valid CAPTCHA implementations.