Client-side Authentication Bypass

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://kuldeep.io/posts/client-side-authentication-bypass
• Blog Title: Client-side Authentication Bypass
• Suggested Section: Pentesting Web -> Login Bypass / Account Takeover, potentially as a subsection on Client-side Authentication & Authorization Bypass in SPAs

🎯 Content Summary

The blog post explains how to turn scattered unauthenticated API endpoints and weak frontend-only checks into stronger, clearer bug bounty reports by demonstrating a complete client-side authentication/authorization bypass. The recurring flaw is that applications used JavaScript route guards, browser storage, UI flags, or API-response values as the source of truth for authentication and authorization, while the backend APIs still accepted unauthenticated or unauthorized reque...

🔧 Technical Details

Fake SPA authentication state in browser storage. If a single-page application protects routes using metadata like authRequired: true and a frontend helper such as isUserLoggedIn(), inspect the bundled JavaScript to find the exact storage keys and validation logic. If the function only checks attacker-controlled values such as localStorage.getItem("token") and whether tokenExpiry is in the future, authentication can be bypassed by setting those keys manually in DevTools. This becomes a real vulnerability when backend APIs do not validate the token/session server-side.

Infer expected token formats from frontend parsing code. Search JavaScript bundles for strings like token, SET_TOKEN, SET_ID, authRequired, isUserLoggedIn, and storage key names. Token-handling code may reveal that the frontend expects a JWT-like structure by ...

🤖 Agent Actions

Using repo exploration to find the best existing web auth bypass page and avoid duplicating current content.
I’m updating the existing Login Bypass page because the blog describes frontend-only authentication/authorization checks that unlock restricted UI or actions without real server-side validation.
I found an unintended duplicate References block at the top during diff review; fixing it now so the page keeps references only at the end.
Updated src/pentesting-web/login-bypass/README.md.

Added a new subsection:

• Client-side authentication & authorization bypass in SPAs

It covers:

• forging SPA auth state in localStorage / sessionStorage
• identifying frontend-only checks in JS bundles
• JWT-like frontend parsing without backend verification
• truthy-object resolver bypasses
• response tampering of session/notification endpoints
• flipping UI-only privilege flags like is_active
• validating whether the backend actually enforces auth/authz

Also added the blog URL to the file’s final ## References section.

Validated:

• only 1 file changed
• references remain only at the end
• final banner include preserved as the last line

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://kuldeep.io/posts/client-side-authentication-bypass

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Login Bypass / Account Takeover, potentially as a subsection on Client-side Authentication & Authorization Bypass in SPAs".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0