Search code examples
securitycsrfcsrf-protectionrecaptcha

Can Google Re-Captcha 2 prevent CSRF attacks?


A Cross-Site Request Forgery attack rides on the victim's session to submit malicious requests to a trusted site. The Cheat Sheet here describes CAPTCHA as a good way to prevent CSRF attacks.

As we know, Google Re-Captcha is effective in preventing bot spamming. After it has been clicked several times at the location with the same IP address, it requires a human to solve a pictures puzzle. Since the first few attempts are simply 'free', is it possible for a hacker to bypass it by initiating clicking on the Re-Captcha figure at the first few attempts?

enter image description here


Solution

  • As the OWASP cheat sheet mentions, CAPTCHAs can be used as a way to defeat CSRF.

    However, you've got me thinking. Maybe if an attacker combined a Clickjacking attack on the Google Recaptcha2 widget with a follow up from a CSRF attack on a page protected with Recaptcha2 for CSRF defense, then maybe this could work to the attacker's favour.

    Update:

    Having thought about this, the way that Recaptcha2 works is to return a value signed by a private key that can be checked server side. This requires the CAPTCHA displayed on the current form to be clicked, even if there's nothing to be solved. Therefore Recapcha2 should defend against CSRF. However, make sure that your hosting page has protection from Clickjacking too.