Authentication Bypass is a type of vulnerability that allows the attacker to bypass the authentication process somehow. It is a more logical bug, and there is no fixed methodology to bypass authentication. The attacker has to understand how authentication is implemented in web applications.
There are some common implementational mistakes in authentication, which can lead to Authentication Bypass.
- This is a rare case but still exists.
Java Servlet supports URL rewriting, in which session id is appended to URL like,
If a user shares some URL, his session will also be shared with it, and anyone can access it.
referfield of an HTTP request, which will expose sessions of users.
Some vulnerable applications verify session based on fixed HTTP parameter. E.g.,
http://site.com/admin/will redirect to
http://site.com/admin/loggedIn=trueafter successful login.
An attacker can hit URL
http://site.com/admin/loggedIn=trueand directly get access to the admin panel without authentication.
- If the web application is enforcing authentication only on the homepage and not on internal pages, then once can access internal pages without authentication.
- for, e.g., HTTP://site.com/admin/
need authentication. But,http://site.com/admin/view_users/` can accessible without authentication.
- After successful authentication, Web Applications provide session ID, which is stored inside cookies.
- Session ID should be random and not predictable.
- Few web applications provide sessions based on time, which is sequential and predictable.
- Unauthenticated users will be able to access restricted resources like user dashboards, admin panels.
- Never use client-side authentication.
- Store Session ID in cookies and not send in URL.
- Validate authentication on each request.