This vulnerability is related to SmartIT/DWP applications where can we can add n number of comments to the requests.
Steps to reproduce:
1. Access the URL https://myit/dwp/app/#/events/details
2. Fill all the details and intercept the request via intercept tool.
3. Send the same request multiple times.
4. It was observed multiples comments submitted successfully.
It was observed that, Insufficient Anti-automation occurs when a web application permits an attacker to automate a process that was originally designed to be performed only in a manual fashion, i.e. by a human web user.
Implications / Consequences of not Fixing the Issue:
It is possible an adversary can fill the database with bogus data also an attacker could potentially execute thousands of requests a minute, causing potential loss of performance or service.
It is recommended to implement Captcha. A common practice for protecting against automation attacks is the implementation of CAPTCHA mechanisms in web applications. CAPTCHA stands for "Completely Automated Public Turing test to Tell Computers and Humans Apart". Common CAPTCHA mechanisms may include: Distorted text inside images, where the user has to type the text Simple math questions such as: "How much is 2+2?" Audio CAPTCHA, where the user has to type the word that is played Common sense questions such as: "What is the capital city of Australia?" It is worth noting, some common CAPTCHA implementations have been proven to be insecure and/or breakable, for example: Insecure design and/or implementation of CAPTCHA mechanisms (replay attacks, reverse engineering, etc.) Solving image-based CAPTCHA using OCR techniques Solving audio-based CAPTCHA using sound analysis