Add potential MFA bypass for OIDC with custom authentication flows

OWASP / wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.

https://owasp.org/www-project-web-security-testing-guide/

Creative Commons Attribution Share Alike 4.0 International

7.19k stars 1.32k forks source link

Add potential MFA bypass for OIDC with custom authentication flows #1134

Closed rbsec closed 7 months ago

rbsec commented 7 months ago

I ran into this the other week - essentially a complete bypass of the MFA by changing the authentication flow that I was using to a default one that didn't require MFA.