Forum Discussion

JWhitesPro_1928

Cirrostratus

Jan 26, 2016

OTP can be bypassed by refreshing on the OTP prompt page..

Has anyone ran into this issue? On 11.6HF6 If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...

BIG-IP Access Policy Manager (APM)

security

JWhitesPro_1928

Cirrostratus

I think it may be a bug...as I said it doesn't happen on mobile devices--and in the logs I see this right before it goes on to allow the user through even though they typed nothing in.

modules/Authentication/OTP/OTPVerifyAgent.cpp func: "getOTPVerifyUserInput()" line: 149 Msg: 64d04990: OTP_VERIFY Agent: getOTPVerifyUserInput(): unable to decrypt user password due to invalid ciphertext

JWhitesPro_1928

Cirrostratus

Jan 26, 2016

It may be something specific to the steps I have. I just created a very basic new policy and wasn't able to reproduce right away. I will message you the .

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OTP can be bypassed by refreshing on the OTP prompt page..

Recent Discussions

3rd party SFP

iRule to Force Source IP to Specific Backend Node

Do Active and Standby L4 Devices Both Send RST on TCP Health Check Failure?

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

Upgrade F5 BIGIP

Related Content

AI Security : Prompt Injection and Insecure Output Handling.

Bypass certificate check

MSM Bypass

Bypass WAF for X-forwarder IP in XC

F5 APM with OIDC Web Duo Prompt

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS