Home GuidesAuthentication Bypass Testing Guide

Authentication Bypass Testing Guide

Learn how to test authentication for bypasses — default credentials, JWT flaws, session weaknesses, and broken password-reset and MFA flows — with a structured methodology and concrete checks.

Intermediate

6 steps17 payload examples~60 min

Authorized testing only. Only use these techniques on systems you have explicit permission to test.

Enumerate the authentication mechanisms

Map how the app authenticates: password login, JWT, OAuth/OIDC, SAML, API keys, magic links, MFA. Identify where the session/identity is established and which token format carries it.

Example payloads

Inspect Set-Cookie, Authorization, and token formats after login.

Decode any JWT to read its header (alg) and claims.

Note OAuth redirect_uri, response_type, and state handling.

Test default, weak, and reused credentials

Try documented default credentials, common weak passwords, and credentials reused from public breaches. Check whether the login lacks rate limiting or account lockout (enables credential stuffing).

Example payloads

admin:admin, admin:password, root:toor

Test for username enumeration via differing error/timing.

Check for missing lockout after many failed attempts.

Attack the token (JWT)

If JWTs are used, test the classic flaws: alg:none, algorithm confusion (RS256->HS256 using the public key as the HMAC secret), weak HMAC secrets, and unverified signatures or expiry.

Example payloads

Set header {"alg":"none"} and strip the signature.

RS256 -> HS256 confusion using the public key as the secret.

Brute-force weak HS256 secrets; tamper claims (role, sub, exp).

Probe session handling

Check session fixation (does the session ID rotate on login?), token entropy/predictability, logout invalidation, and whether tokens are bound to the user/device. Test for missing httpOnly/secure/SameSite on session cookies.

Example payloads

Does the session ID change after authentication? (fixation)

Is a token still valid after logout / password change?

Check cookie flags: HttpOnly, Secure, SameSite.

Test password reset and MFA flows

Reset and MFA flows are common bypass points: predictable/leaked reset tokens, host-header poisoning of reset links, response manipulation on the MFA step, and OTP brute force or reuse.

Example payloads

Host: attacker.com  (poison the password-reset link)

Change MFA response from {"verified":false} to true.

Brute-force / reuse OTP; skip the MFA step by requesting the post-MFA endpoint directly.

Confirm and document

Demonstrate full authentication bypass or privilege gain with a minimal reproduction. Recommend signature verification, server-side MFA enforcement, session rotation, and rate limiting.

Example payloads

Document: mechanism, exact bypass, resulting access level.

Fix: verify signatures/expiry, rotate sessions on login, enforce MFA server-side, rate-limit.

Related Resources

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...

Enumerate the authentication mechanisms

Map how the app authenticates: password login, JWT, OAuth/OIDC, SAML, API keys, magic links, MFA. Identify where the session/identity is established and which token format carries it.

Example payloads

Inspect Set-Cookie, Authorization, and token formats after login.

Decode any JWT to read its header (alg) and claims.

Note OAuth redirect_uri, response_type, and state handling.

Test default, weak, and reused credentials

Try documented default credentials, common weak passwords, and credentials reused from public breaches. Check whether the login lacks rate limiting or account lockout (enables credential stuffing).

Example payloads

admin:admin, admin:password, root:toor

Test for username enumeration via differing error/timing.

Check for missing lockout after many failed attempts.

Attack the token (JWT)

If JWTs are used, test the classic flaws: alg:none, algorithm confusion (RS256->HS256 using the public key as the HMAC secret), weak HMAC secrets, and unverified signatures or expiry.

Example payloads

Set header {"alg":"none"} and strip the signature.

RS256 -> HS256 confusion using the public key as the secret.

Brute-force weak HS256 secrets; tamper claims (role, sub, exp).

Probe session handling

Example payloads

Does the session ID change after authentication? (fixation)

Is a token still valid after logout / password change?

Check cookie flags: HttpOnly, Secure, SameSite.

Test password reset and MFA flows

Reset and MFA flows are common bypass points: predictable/leaked reset tokens, host-header poisoning of reset links, response manipulation on the MFA step, and OTP brute force or reuse.

Example payloads

Host: attacker.com  (poison the password-reset link)

Change MFA response from {"verified":false} to true.

Brute-force / reuse OTP; skip the MFA step by requesting the post-MFA endpoint directly.

Confirm and document

Demonstrate full authentication bypass or privilege gain with a minimal reproduction. Recommend signature verification, server-side MFA enforcement, session rotation, and rate limiting.

Example payloads

Document: mechanism, exact bypass, resulting access level.

Fix: verify signatures/expiry, rotate sessions on login, enforce MFA server-side, rate-limit.