You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue: Incorrect MFA Detection in MFASweep
Description:
The MFASweep script incorrectly identifies certain responses as "no MFA required," even when MFA is indeed required. The logic currently checks for specific strings (authMethodId, Stay signed in, or Verify your identity) in $AuthRequest.Content. If none of these strings match, the script concludes that MFA is not required. However, this does not account for cases where MFA is requested in different forms or through redirection pages.
Reproduction Steps:
Run MFASweep against an account with MFA enabled.
Observe the response content. For example:
html
Copy code
<title>Working...</title>
Script is disabled. Click Submit to continue.
<script language="javascript" nonce='...'>document.forms[0].submit();</script>
The script incorrectly concludes: "It appears there is no MFA required for this account".
Expected Behavior:
The script should detect that MFA is required based on the presence of certain hidden input fields (e.g., request, flowToken, canary) or the presence of redirection via JavaScript.
Actual Behavior:
The script outputs: "It appears there is no MFA required for this account."
Suggested Fix:
Expand the detection logic to include cases like redirection pages and hidden form inputs (e.g., request, flowToken, canary). This will ensure that MFASweep accurately detects when MFA is required.
Additional Notes:
The issue occurs with MFA challenges that use redirection or hidden forms instead of the typical methods (authMethodId, etc.).
Please let me know if you need more information or test cases to validate the fix.
Thank you for your great work on MFASweep! I hope this feedback helps improve the script.
The text was updated successfully, but these errors were encountered:
Issue: Incorrect MFA Detection in MFASweep
Description:
The MFASweep script incorrectly identifies certain responses as "no MFA required," even when MFA is indeed required. The logic currently checks for specific strings (authMethodId, Stay signed in, or Verify your identity) in $AuthRequest.Content. If none of these strings match, the script concludes that MFA is not required. However, this does not account for cases where MFA is requested in different forms or through redirection pages.
Reproduction Steps:
<title>Working...</title>Run MFASweep against an account with MFA enabled.
Observe the response content. For example:
html
Copy code
Script is disabled. Click Submit to continue.
<script language="javascript" nonce='...'>document.forms[0].submit();</script> The script incorrectly concludes: "It appears there is no MFA required for this account". Expected Behavior: The script should detect that MFA is required based on the presence of certain hidden input fields (e.g., request, flowToken, canary) or the presence of redirection via JavaScript.Actual Behavior:
The script outputs: "It appears there is no MFA required for this account."
Suggested Fix:
Expand the detection logic to include cases like redirection pages and hidden form inputs (e.g., request, flowToken, canary). This will ensure that MFASweep accurately detects when MFA is required.
Additional Notes:
The issue occurs with MFA challenges that use redirection or hidden forms instead of the typical methods (authMethodId, etc.).
Please let me know if you need more information or test cases to validate the fix.
Thank you for your great work on MFASweep! I hope this feedback helps improve the script.
The text was updated successfully, but these errors were encountered: