Forum Discussion

JWhitesPro_1928

Cirrostratus

Jan 26, 2016

OTP can be bypassed by refreshing on the OTP prompt page..

Has anyone ran into this issue? On 11.6HF6 If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...

BIG-IP Access Policy Manager (APM)

security

JWhitesPro_1928

Cirrostratus

The 'failure' on the "Prompt for passcode" was purely for troubleshooting.

JWhitesPro_1928

Cirrostratus

Jan 26, 2016

I see that. I have that set so that the http-auth form pulls the correct field for clickatell...perhaps I can rename it...either way though on the variable assign before the "Prompt for Passcode" I just added session.logon.last.password and set it to something manually there and tried it again with the same result...it's strange that it doesn't do this on mobile devices or when i change that password field type....let me run through it a few more times.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OTP can be bypassed by refreshing on the OTP prompt page..

Recent Discussions

iRule to Force Source IP to Specific Backend Node

Do Active and Standby L4 Devices Both Send RST on TCP Health Check Failure?

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

Upgrade F5 BIGIP

F5 Switches in 'Changes Pending' Status

Related Content

AI Security : Prompt Injection and Insecure Output Handling.

Bypass certificate check

MSM Bypass

Bypass WAF for X-forwarder IP in XC

F5 APM with OIDC Web Duo Prompt

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS