# Authentication bypass using empty parameters.

> Last Update: 23 May 2022
>
> Added the ananlysis section with more details

Hello Everyone! Today we have a new write-up about one of my findings at a pen-testing client. The method we used to bypass is tricky, and I want to share it with the community, so let’s get started.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*q-hYfrbvZ1_x1mRIR7FUiw.jpeg" alt=""><figcaption></figcaption></figure>

## **Content**

1. [Summary](#summary)
2. [Description](#description)
3. [Detection & Scanning techniques](#steps-to-reproduce)
4. [Analysis](#analysis)
5. [Thanks](#thanks-to)

### Summary

Through this blog post, I will try to describe what I tried before discovering the real issue, may you use some technique at one of your targets.&#x20;

### **Description**

The client performs his login process by sending your credentials and receiving the response in JSON data.

At the first, I tried to exploit the JSON data to XXE, but unfortunately, it was not working while returning to JSON, I faced a weird case with no explanations for me, but after getting deep, I understand with my teammates what's the issue.&#x20;

### Detection & Scanning Techniques

1\. Try to log in with dummy credentials to check the request and the response.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*ALPusydVfPha0-vmTNgpcQ.png" alt=""><figcaption></figcaption></figure>

You will notice that the credentials are sent in JSON data, and the response also will be in JSON. At this point, I’ve tried multiple tricks like:

```
Change false to true → FailedChange the message to “Success” → FailedDelete the whole msg → FailedDelete the status → Failed
```

2\. It’s time to play with the request JSON data, let’s try to convert it to XML to test XXE but no luck, and no response returned.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*s80FUDR2dnirB7sehpcOaA.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*lIi3LcPoQi4TGv4aERa11Q.png" alt=""><figcaption></figcaption></figure>

3\. Okay, let’s return it back to JSON using the same extension and send the request again.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*tpm6rCedvlUzyHiKkehHQg.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*eJAJiwg6UlZQRCezQ5GVfA.png" alt=""><figcaption></figcaption></figure>

Figure out the change that happened after converting it using the extension, and that’s why the response returned the data that related to the default user.

4\. Try to intercept the login request and change the JSON data as we tried before and forward the request.

```
Change the data from {"email":"test@aykalam.com","password":"test"}
```

```
to be like that{"root": {  "password": "test",  "email": "test@aykalam.com"}}
```

<figure><img src="https://cdn-images-1.medium.com/max/800/1*CUmXL28SlUxVIsVHPwHZIQ.png" alt=""><figcaption></figcaption></figure>

4\. You will find yourself logged in as an admin.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*QKGxuaFswtZGTpvuu85RYw.png" alt=""><figcaption></figcaption></figure>

### **Analysis**

After trying more and digging deep with [**Live OverFlow**](https://twitter.com/LiveOverflow) and my teammates [**Ahmed Hesham**](https://twitter.com/justAhmed96)**,** [**Karim Hany**](https://twitter.com/akenofu)**, and** [**Mohamed Saleh**](https://twitter.com/MohamedSaleh428) we discovered the issue.

The target uses a custom framework and also the default case of a custom function that deals with the login process. I will give you an easy example to clear the weak points, it’s just JS code, not the exact used one.

If you check the following code.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*Jl0h_02yEtX5jtmF-spZCA.jpeg" alt=""><figcaption><p>Coded by Karim Hany</p></figcaption></figure>

You will notice that the used IF statements are not configured well, if the IF statements conditions are false, the process will not terminate, and it will be continued. This issue can let you bypass the authentication.

So, if you tried to replace the login POST data to empty, it will get the same results

```
Replace the following {"email":"test@aykalam.com","password":"test"}
```

```
With {"":""}
```

<figure><img src="https://cdn-images-1.medium.com/max/800/1*uKfo-aLnOiuP7nxIDIKYog.png" alt=""><figcaption></figcaption></figure>

Thanks for reading and hope you got it well ❤

### **Thanks to**

**Live OverFlow, Ahmed Hesham, Karim Hany,** and **Mohamed Saleh**

**Thanks for reading <3 Stay in touch**

[LinkedIn ](https://www.linkedin.com/in/eslam3kl/)| [GitHub](https://github.com/eslam3kl) | [Twitter](https://twitter.com/eslam3kll)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/web-application-findings/authentication-bypass-using-empty-parameters..md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.