Lack of protection in the login forms, including captchas can lead to various attacks. And not only to Brute Force Attack (WASC-11), which is a known as vulnerability in the forms of authentication, but for many other attacks aimed at vulnerabilities of site or web application. I have many years of opportunities to meet such attacks at different sites and engine.
If from a Brute Force attack it can be protected using a captcha, as well as other methods (to restrict access by IP or block your account for some time), in the case of other vulnerabilities occur with remote or automated attacks the use of captchas is very important.
And since the captcha is rarely used in login forms, then this problem is very common on the Internet. On sites where there are no vulnerabilities in admin part or user accounts it can do without captchas (for example, I do not use a captcha at login in form, because for me it is not actual), but for sites with internal vulnerabilities it is very important.
Millions of web sites, cursors and many different devices with a web interface (such as routers, modems, etc.) are now vulnerable to these attacks.
Lack of protection against automated login (captcha) can be used:
- For the Brute Force attack.
- To conduct Login Enumeration attacks – in the presence of Abuse of Functionality vulnerabilities in login forms, as in MyBB.
- To conduct XSS attacks - in the presence of XSS vulnerabilities in MyBB.
- For the Redirector attacks - in the presence of URL Redirector Abuse vulnerabilities in MyBB.
- To conduct CSRF attacks, including the various devices (including modems).
- To conduct phishing attacks, when the user account detailes are stolen and immediately going login into his account (for example, to steal money from the account).
- For the SQL Injection attacks with common SQLi or blind SQLi vulnerability in the user accounts, and exploit must log in and get data from database
- For the RCE attacks, when authorization is required for remote command execution. In this case the captcha will complicate the life during the operation of these vulnerabilities.
- To conduct Arbitrary File Upload Attack - through relevant vulnerabilities in user's account, such as of WordPress.
- For the Abuse of Functionality attacks - through various AoF vulnerabilities in the user’s accounts, such as those that allow spam.
So if any of the vulnerabilities (except Brute Force, that can be corrected by other methods) captcha in login form can be necessary - whether as principal or as an additional protection. That is so especially if certain vulnerabilities cannot be corrected, as in the case of AoF, when they are an important functional site.