Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

how to restrict bypassing of authentication


HI experts,

we have second factor authentication involved in our portal product , by using hacking tool burp Suite im able to capture the response and request coming from the server .

Case 1 : user have primary authentication with user name and password , and secondary authentication as his OTP send to his mobile , after entering this OTP , he can login into the portal .Now at the end stage im getting an Authenticated response from the server as show below

HTTP/1.1 302 Found
content-type: text/plain
set-cookie: MYSAPSSO2=********************************************************************************************************************************************************************************************

***************************************************************************************************************************************************

************************************************************************************************************%3D;path=/;domain=.*************;HttpOnly
set-cookie: JSESSIONMARKID=(J2EE2816900)ID1049281650DB414bde284b5152939d4cf5487d21ccc0cffd7091End; Version=1; Path=/; Secure; HttpOnly
location: https://hosthttps://host/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default:443/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.portallauncher.default
content-length: 0
date: Wed, 28 May 2014 05:27:09 GMT
set-cookie: com.sap.engine.security.authentication.original_application_url=; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

This is the reponse which we are able to capture and now again we can login , using wrong user name and wrong password usingĀ  burp suite tool intercept the response and replaing the above response we are able to login.

Here we are not able to restrict this particular stage.

is there any solution to stop this please suggest us..

Regards

Govardan Raj S

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question