-
Type:
Bug
-
Resolution: Done
-
Priority:
High
-
Affects Version/s: 3.4.0
-
AMRIT Sprint 48, AMRIT Sprint 49
-
Platform
-
UAT
A Captcha Missing vulnerability was identified in https://uatamrit.piramalswasthya.org/aam/#/login. The application does not implement CAPTCHA or equivalent bot protection, allowing automated scripts to submit requests without restriction.
| Vulnerability Name | Vulnerable Point, Port or Parameter | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Mapping with OWASP Testing Checklist | Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| Captcha Missing | https://uatamrit.piramalswasthya.org/aam/#/login | CWE-307 | 3.1 | Low | OWASP Configuration and Deploy Management Testing | The absence of CAPTCHA allows automated bots to freely submit login attempts. This increases the risk of brute-force attacks, credential stuffing, and denial-of-service, as there is no challenge to differentiate between human and automated logins. | Enables attackers to guess or retry passwords at scale, leading to potential account compromise. Increases the risk of service disruption due to automated login floods. |
Implement CAPTCHA (such as reCAPTCHA) on login forms to prevent automated access attempts. Combine CAPTCHA with rate limiting, MFA, and monitoring to enhance overall authentication security. |
https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-009_CAPTCHA_Defeat | Step 1: the security assessment, it was observed that the login page was missing a CAPTCHA mechanism to verify human users. |
