Forum Discussion

JWhitesPro_1928

Cirrostratus

Jan 26, 2016

OTP can be bypassed by refreshing on the OTP prompt page..

Has anyone ran into this issue? On 11.6HF6 If you're at a step in your access policy of prompting for a OTP and the user just refreshes the browser, it bypasses everything else in the polic...

BIG-IP Access Policy Manager (APM)

security

Seth_Cooper

Employee

Feb 01, 2016

I believe I see the issue... in the SMS Macro you have a variable assign that sets session.logon.last.password to session.user.opt.pw so when you get to the logon page "Prompt for Password" the value is set, hitting refresh will make the logic run and since the password session var has the otp in it then you will pass. If you remove the password from that variable assign do you have the same issues?

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OTP can be bypassed by refreshing on the OTP prompt page..

Recent Discussions

3rd party SFP

iRule to Force Source IP to Specific Backend Node

Do Active and Standby L4 Devices Both Send RST on TCP Health Check Failure?

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

Upgrade F5 BIGIP

Related Content

AI Security : Prompt Injection and Insecure Output Handling.

Bypass certificate check

MSM Bypass

Bypass WAF for X-forwarder IP in XC

F5 APM with OIDC Web Duo Prompt

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS