How AJAX can bypass the web application with the Microsoft Authenticator Set up

[Henry Vo]

Hi everyone, 

I am running some scans on the web application. The web application has the MFA set up with the Microsoft Authenticator. Are there any settings or workaround that I can bypass to use the AJAX Spider? 

I had the Authentication Tester set up. I tried to run the AJAX Spider with Firefox headless which is said it can stop and resume for the user to manually enter the authentication code, but I do not think it works. 

Thank you in advance. 

Legal notice: The contents of this communication are private and confidential. Any content that does not relate to the official business of James Anthony Consulting cannot be taken to represent the views, opinions or conclusions of James Anthony Consulting. No contracts may be conclused on behalf of James Anthony Consulting by means of email communication. If you are not the intended recipient of this communication, please delete it and contact the sender. You may not use or reproduce any part of this communication without James Anthony Consulting's prior consent.

[Simon Bennetts]

First see https://www.zaproxy.org/docs/getting-further/authentication/make-your-life-easier/ :)

If you cant disable it then we still may have a solution.

Do you know if Microsoft Authenticator is a standard TOTP?

Cheers,

Simon