13

I am having some question regarding captcha and AntiForgeryToken

  1. Do I need to use captcha if I am using AntiForgeryToken in an MVC application.
  2. Does AntiForgeryToken prevents automated form submission?
  3. Can I use AntiForgeryToken as an alternative to captcha?
Twix
  • 233
  • 2
  • 6
  • Tried this one? Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet – digsrafik Sep 01 '14 at 07:58

3 Answers3

15

To answer a bit more explicitly:

Do I need to use captcha if I am using AntiForgeryToken in an MVC application.

If automated submissions are a problem then yes.

Does AntiForgeryToken prevents automated form submission?

No. A CSRF token basically ensures that a user visits a page (eg. the one which contains the form) before another action takes place (eg. that form was submitted). A bot could easily obtain a valid token to submit a form.

Can I use AntiForgeryToken as an alternative to captcha?

No. Arguably a CAPTCHA might be able to replace a CSRF token but a CAPTCHA probably isn't practical on every form which needs CSRF protection (eg. one in an admin panel).

thexacre
  • 8,444
  • 3
  • 24
  • 35
5

Do I need to use captcha if I am using AntiForgeryToken in an MVC application?

A CAPTCHA is a type of challenge-response test used in computing to determine whether or not the user is human. (...) CAPTCHAs are used to prevent bots from using various types of computing services or collecting certain types of sensitive information. - Wikipedia

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. - OWASP

As you've read, they are both completely different aspects of security. And both CAPTCHAs and CSRF prevention can be bad for the user experience if not implemented right (browser usability issues, hard to solve CAPTCHAs, etc).

With that being said, I think I've answered all your questions with this. I suggest you check out the sources I've linked to. It will eliminated most, if not, all (further) questions you might have regarding this topic.

Kid Diamond
  • 377
  • 3
  • 13
1

Here's the answers: 1. Yes 2. No 3. No

A captcha does cover a missing csrf token but it doesnt work the other way around so wherever you need to protect against automation use captcha

Shpend
  • 11
  • 1