E-Arogya

21- Insufficient Anti-Automation
CWE : CWE-799
Description :
Insufficient Anti-automation is when a web site permits an attacker to automate a
process that should only be performed manually. Certain web site functionalities should
be protected against automated attacks.
Affected Path(s) :
https://earogya.satragroup.in/login *-Applicable to entire application
Impact :
Attackers could repeatedly exercise web site functionality attempting to exploit or
defraud the system. An automated robot could potentially execute thousands of requests
a minute, causing potential loss of performance or service.
Recommendation :
It is recommended to implement captcha. CAPTCHA should be perceived as a ratelimiting protection only. If it is implemented, the following considerations should be
taken into account:
No CAPTCHA information (except the image itself) should be stored on the client
side.
The client should have no "control" over the CAPTCHA content. CAPTCHA images
should be always randomly generated without possibility to perform image
preprocessing, segmentation and classification.
CAPTCHA images should not be reused.
Evidence/Proof Of Concept :
Step 1: Captcha is not implemented for the application as shown below.