Forum Discussion

JWhitesPro_1928

Cirrostratus

Jan 26, 2016

OTP can be bypassed by refreshing on the OTP prompt page..

Has anyone ran into this issue? On 11.6HF6 If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...

BIG-IP Access Policy Manager (APM)

security

Lucas_Thompson_

Historic F5 Account

Jan 26, 2016

There is one more thing to consider here.

All of the "Auth" Policy Items expect that the password will be in an encrypted format. The Logon Page inputs can be "text" or "password". If you set it to "text", then the variable is set up to be unencrypted. If you set it to "password", then it's encrypted. The "Invalid Ciphertext" error message happens when whatever session variable that the Policy Item was trying to interrogate was NOT encrypted or was empty. If it was plaintext, the error would be produced.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OTP can be bypassed by refreshing on the OTP prompt page..

Recent Discussions

iRule to Force Source IP to Specific Backend Node

Do Active and Standby L4 Devices Both Send RST on TCP Health Check Failure?

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

Upgrade F5 BIGIP

F5 Switches in 'Changes Pending' Status

Related Content

AI Security : Prompt Injection and Insecure Output Handling.

Bypass certificate check

Bypass WAF for X-forwarder IP in XC

MSM Bypass

F5 APM with OIDC Web Duo Prompt

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS