Direct Access
The most straightforward way of bypassing authentication checks is to request the protected resource directly from an unauthenticated context. An unauthenticated attacker can access protected information if the web application does not properly verify that the request is authenticated.
Let us assume a web application uses the following snippet of PHP code to verify whether a user is authenticated:
if(!$_SESSION['active']) {
header("Location: index.php");
}
This code redirects the user toΒ /index.php
Β if the session is not active/unauthenticated.
However, the PHP script does not stop execution, resulting in protected information within the page being sent in the response body. So if we send something like GET /admin.php
, weβd be able to see the page through Burp Suite.
But if we try to access /admin.php
through a browser, it wonβt work since the browser follows the redirect.