Are both csrf tokens and captcha needed?

Can someone confirm this: 开发者_运维百科do I need to provide both a CSRF token and a Captcha in a submission form, or do the two more or less serve the same function (one can be used instead of the other)?

A captcha can be used instead of a CSRF token. This is covered in the OWASP CSRF Prevention Guide. A Captcha is considered to be a stronger form of CSRF prevention than a token or referer check because it is more difficult to bypass with XSS - but still possible. So long as the captcha cannot be replayed by a different browser than what loaded the captcha.

Any SOP bypass may be used to read the Capthca's challenge-response and feed it to an attacker to solve in order to complete the request. Even in this attack scenario, a CSRF token wouldn't help you, and a Captcha is still more difficult to exploit but not impossible.

Yup I was wrong. Both captcha and token are session-bound.

However I still see not much sense in this question.
You cannot use CAPTCHA for the every form on the site. It will drive users crazy and away.
Thus, why not to have a token for the every form by default and CAPTCHA for selected ones?

The above suggests the answer is "no".

But in reading about CSRF tokens compared to CAPTCHA it's worth looking into this, which says:

"CAPTCHA does not prevent cross-site request forgery (CSRF)":

https://blog.detectify.com/2017/12/06/captcha-csrf/