Strategies and scenarios of CSRF attacks against the CAPTCHA forms

Journal of Advanced Computer Science and Technology Pub Date : 2015-01-14 DOI:10.14419/JACST.V4I1.3935

Hossein Moradi, Hossein Kardan Moghaddam

{"title":"Strategies and scenarios of CSRF attacks against the CAPTCHA forms","authors":"Hossein Moradi, Hossein Kardan Moghaddam","doi":"10.14419/JACST.V4I1.3935","DOIUrl":null,"url":null,"abstract":"In this article, we’ve tried to examine the hypothesis of the robustness of a form by using CAPTCHA against CSRF and login CSRF attacks. Our investigations showed that unlike public opinion, common attacks to bypass CAPTCHAs such as Optical Character Recognition (OCR) and 3rd party human attacks are not applicable in the CSRF case and instead, Clickjacking is the most important scenario of CSRF and login CSRF attacks against a secure session-dependent CAPTCHA form. Remember that the Clickjacking is also applicable to bypass the well-known CSRF protections, such as the secret token and the Referer header. Therefore, although the frequent application of CAPTCHA on every page of a website negatively impacts the user experience, but the robustness of a robust session-dependent CAPTCHA against the CSRF and login CSRF attacks is almost the same as the session-dependent security token. Moreover, when a website is using a session-independent or week pattern of CAPTCHA, attackers can bypass the CAPTCHAs and launch the CSRF or login CSRF attacks by using XSS, session hijacking, replay attacks or submitting a random response.","PeriodicalId":445404,"journal":{"name":"Journal of Advanced Computer Science and Technology","volume":"44 5","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Advanced Computer Science and Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14419/JACST.V4I1.3935","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

In this article, we’ve tried to examine the hypothesis of the robustness of a form by using CAPTCHA against CSRF and login CSRF attacks. Our investigations showed that unlike public opinion, common attacks to bypass CAPTCHAs such as Optical Character Recognition (OCR) and 3rd party human attacks are not applicable in the CSRF case and instead, Clickjacking is the most important scenario of CSRF and login CSRF attacks against a secure session-dependent CAPTCHA form. Remember that the Clickjacking is also applicable to bypass the well-known CSRF protections, such as the secret token and the Referer header. Therefore, although the frequent application of CAPTCHA on every page of a website negatively impacts the user experience, but the robustness of a robust session-dependent CAPTCHA against the CSRF and login CSRF attacks is almost the same as the session-dependent security token. Moreover, when a website is using a session-independent or week pattern of CAPTCHA, attackers can bypass the CAPTCHAs and launch the CSRF or login CSRF attacks by using XSS, session hijacking, replay attacks or submitting a random response.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

针对CAPTCHA表单的CSRF攻击策略和场景

在本文中，我们尝试通过使用CAPTCHA对抗CSRF和登录CSRF攻击来检验表单健壮性的假设。我们的调查表明，与公众的看法不同，绕过CAPTCHA的常见攻击(如光学字符识别(OCR)和第三方人工攻击)不适用于CSRF案例，相反，Clickjacking是CSRF和登录CSRF攻击中最重要的场景，针对安全会话依赖的CAPTCHA表单。请记住，Clickjacking也适用于绕过众所周知的CSRF保护，例如秘密令牌和Referer标头。因此，尽管频繁地在网站的每个页面上应用CAPTCHA会对用户体验产生负面影响，但是一个健壮的会话依赖的CAPTCHA对CSRF和登录CSRF攻击的鲁棒性几乎与会话依赖的安全令牌相同。此外，当网站使用会话无关或周模式的CAPTCHA时，攻击者可以绕过CAPTCHA，通过XSS、会话劫持、重放攻击或提交随机响应来发起CSRF或登录CSRF攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Journal of Advanced Computer Science and Technology

自引率

0.00%

发文量