search

Santandersecurityresearch / asvs

A simple web app that helps developers understand the ASVS requirements.
MIT License
154 stars 39 forks source link

MFA Setup Bypass #54

Closed cameo-myob closed 3 years ago

cameo-myob commented 3 years ago

Hey team, First of all - love the effort you've put in here. I've found a slight bug in the setup for MFA. When creating a new user and you reach the MFA prompt, there are no other buttons on the screen and no way to get out of setting it up. If you click Submit Verification Code without entering a valid code, the page refreshes and the menu appears at the top. You can then bypass setting up MFA by just clicking out of the screen (by clicking on Projects or similar). I've attached some screenshots to demonstrate.

Screen Shot 2021-05-26 at 7 50 17 pm Screen Shot 2021-05-26 at 7 50 26 pm
danielcuthbert commented 3 years ago

Hello. Thank you, this is indeed a bug, thank you for catching this. We are on it!

danielcuthbert commented 3 years ago

all fixed @cameo-myob with https://github.com/Santandersecurityresearch/asvs/commit/4e84f3abd03485fe755738f435cc98d07c37d962

Thanks for reporting this, appreciate it :)