AD auth with OTP - browser refresh issue
Hi, We're trying to implement AD auth with OTP solution using standard APM policy. Our pentesters found out that it's possible to use browser refresh to retrieve user AD credentials. Initial request comes to VS URL, then it got redirected using 302 to /my.policy. AD credentials are entered and on this stage APM responds with HTTP 200, URI is still /my.policy and it prompt for OTP pin. Once OTP pin entered APM uses 302 to redirect to VS URL, so the OTP password can't be retrieved. Now if you click back on the browser and then click refresh button browser will resubmit the AD credentials, so they can be potentially retrieved by using Fiddler or similar tool.
I've tried to mitigate it by introducing additional External Logon page policy object that was basically redirecting to itself - VS URL/my.policy. It helped - so now if you go through the whole auth process and go back and refresh - you're only getting the redirect data, not the AD credentials. Unfortunately if you go back on the OTP Pin page w/o entering it and then refresh - it's still possible to get the AD credentials.
So my question - is it possible to configure APM to respond with 302 on the AD credentials login page ? Smthing like ad login page is /my.policy and then it redirects to /otp.policy and then redirects to the app itself.
Regards, Evgeny