Strategies and scenarios of CSRF attacks against the CAPTCHA forms

  • Authors

    • Hossein Moradi
    • Hossein Kardan Moghaddam Faculty Member of Birjand University of Technology Birjand, Iran
    2015-01-14
    https://doi.org/10.14419/jacst.v4i1.3935
  • CAPTCHA, CSRF, HTTPS, CSRF Attacks.
  • In this article, we’ve tried to examine the hypothesis of the robustness of a form by using CAPTCHA against CSRF and login CSRF attacks. Our investigations showed that unlike public opinion, common attacks to bypass CAPTCHAs such as Optical Character Recognition (OCR) and 3rd party human attacks are not applicable in the CSRF case and instead, Clickjacking is the most important scenario of CSRF and login CSRF attacks against a secure session-dependent CAPTCHA form. Remember that the Clickjacking is also applicable to bypass the well-known CSRF protections, such as the secret token and the Referer header. Therefore, although the frequent application of CAPTCHA on every page of a website negatively impacts the user experience, but the robustness of a robust session-dependent CAPTCHA against the CSRF and login CSRF attacks is almost the same as the session-dependent security token. Moreover, when a website is using a session-independent or week pattern of CAPTCHA, attackers can bypass the CAPTCHAs and launch the CSRF or login CSRF attacks by using XSS, session hijacking, replay attacks or submitting a random response.

  • References

    1. [1] OWASP, "OWASP Top 10-2013: The ten most critical web application security risks," OWASP open community, 2013.

      [2] Barth, A., et al., "Robust defenses for cross-site request forgery," in Proceedings of the 15th ACM conference on Computer and communications security, Chicago, pp. 75–88, 2008. http://dx.doi.org/10.1145/1455770.1455782.

      [3] Blatz, J., "CSRF: Attack and Defense White Paper," McAfee Inc, 2011.

      [4] Li, X., Yuan, X., "A Survey on Server-side Approaches to Securing Web Applications," ACM Computing Surveys, Vol. 46, No. 4, 2014. http://dx.doi.org/10.1145/2541315.

      [5] Chen, B., et al., "A Study of the Effectiveness of CSRFGuard," presented at the IEEE International Conference on Privacy, Security, Risk, and Trust, and IEEE International Conference on Social Computing, 2011.

      [6] Cheng, C., Paulina, M., "Protecting Web-based Applications," NATIONAL UNIVERSITY OF SINGAPORE, SCHOOL OF COMPUTING, 2013.

      [7] Xing, L., et al., "A client-based and server-enhanced defense mechanism for cross-site request forgery," Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, pp. 484–485, 2010.

      [8] OWASP, "Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet." OWASP open community, December 2013, https://www.owasp.org/index.php/ Cross-Site_Request_Forgery(CSRF) Prevention_Cheat_Sheet.

      [9] Homakov, "Why captcha is not a CSRF protection." GitHub Website, November 2014, https://gist.github.com/homakov/5607607 .

      [10] Captcha.net, "Applications of CAPTCHAs" captcha.net website, January 2014, http://www.captcha.net .

      [11] Truong, H. D., C. F. Turner, and C. C. Zou, "iCAPTCHA: the next generation of CAPTCHA designed to defend against 3rd party human attacks," presented at the IEEE International Conference on Communications (ICC), pp. 1–6, 2011.

      [12] Stackexchange, "can a csrf captcha be defeated." Stackexchange website, November 2014, http://security.stackexchange.com/questions/11768/can-a-csrf-captcha-be-defeated .

      [13] Commander, A., "Captcha as CSRF protection." Slacker’s website, November 2014, http://sla.ckers.org/forum/read.php?4,24090.

      [14] Alex, "Exploiting CSRF Protected XSS." Alex's Corner Weblog, April 2014, http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html .

      [15] Ramisetty, R., "Heuristics For Preventing Cross Site Request Forgery Attacks," Msc Thesis, National Institute Of Technology Karnataka, 2009.

      [16] Wikimedia, "Wikimedia Traffic Analysis Report – Browsers e.a." Wikimedia Website, November 2014, http://stats.wikimedia.org/archive/squid_reports/2013-06/SquidReportClients.htm .

      [17] Amit, Y., et al., "Patent: Thwarting cross-site request forgery (csrf) and Clickjacking attacks," U.S. Patent US20110321168 A128-Jun-2010, November 2014, http://www.google.com/patents/US20110321168 .

      [18] Amrutkar, C., et al., "On the Disparity of Display Security in Mobile and Traditional Web Browsers Technical Report," Library of Georgia Institute of Technology, April 2014, https://smartech.gatech.edu/bitstream/handle/1853/36978/GT-CS-11-02.pdf?sequence=3 .

      [19] OWASP, "Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet." OWASP open community, April 2014, https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet .

      [20] HP, "Cross-site request forgery: are your web applications vulnerable? Whitepaper," HP Company, 2007.

      [21] Adrián, "XSS killed the anti-CSRF star." Security et alii website, April 2014, http://securityetalii.es/2013/01/23/ xss-killed-the-anti-csrf-star

      [22] OWASP, "Clickjacking Defense Cheat Sheet," OWASP open community, July 2014, https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers .

  • Downloads

  • How to Cite

    Moradi, H., & Moghaddam, H. K. (2015). Strategies and scenarios of CSRF attacks against the CAPTCHA forms. Journal of Advanced Computer Science & Technology, 4(1), 15-22. https://doi.org/10.14419/jacst.v4i1.3935