Summary: It is possible to generate a simple request which creates a high cpu/bandwidth consumption from the server by abusing the captcha servlet
Description: By sending a specially crafted request and changing the height/width parameters in the captcha form it is possible to consume large amount of cpu/memory and bandwidth.
By Sending a width 21800 and height 4800 the server responded after a few seconds with a payload of 318k. When increasing the height to 48000, the server responded after about 15 seconds with a payload of 3M.
Testing was stopped in order to prevent a full denial of service on the website but it seems that there is no limit and easily with a couple of requests we can deny service to the servlet and maybe even the whole server.
(Add details for how we can reproduce the issue)
In the scope of testing I saw that denial of service is out of scope, This attack is more applicative and doesn't use distributed denial of service methods and I think it is important for you to fix this although it is not in scope