CAPTCHA bypass in login form via EXCLUDE_CAPTCHA parameter
ManageEngine ADSelfService Plus
Krzysztof Andrusiak and Marcin Ogorzelski
Users can bypass captcha check in login form using EXCLUDE_CAPTCHA parameter, which could lead to brute-force attacks.
- Enable "Show CAPTCHA on Login Page every time" option in ADSSP settings.
- Set up intercepting proxy (e.g. Burp Suite).
- Go to login page, enter valid username and password. In CAPTCHA field enter any value.
- Intercept HTTP POST request sent to
EXCLUDE_CAPTCHA=trueparameter to request body.
- Send modified request to the server. User will be logged in despite providing wrong CAPTCHA value.
- 17-03-2021 - Vulnerability reported to vendor
- 18-03-2021 - First response from vendor
- 08-05-2021 - Fixed version release
- 30-08-2021 - Public disclosure
- 21-02-2022 - PoC release