bypassing-authentication-with-forced-browsing

Featured

Discovering and accessing unprotected pages, APIs, and administrative interfaces by enumerating URLs and bypassing authentication controls during authorized security assessments.

AI & Automation 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Bypassing Authentication with Forced Browsing ## When to Use - During authorized penetration tests to discover hidden or unprotected administrative pages - When testing whether authentication is consistently enforced across all application endpoints - For identifying backup files, configuration files, and debug interfaces left exposed in production - When assessing access control on API endpoints that should require authentication - During security audits to validate that all sensitive resources enforce session validation ## Prerequisites - **Authorization**: Written penetration testing agreement covering directory enumeration - **ffuf**: Fast web fuzzer (`go install github.com/ffuf/ffuf/v2@latest`) - **Gobuster**: Directory brute-force tool (`apt install gobuster`) - **Burp Suite**: For intercepting and analyzing requests and responses - **Wordlists**: SecLists collection (`git clone https://github.com/danielmiessler/SecLists.git`) - **Target access**: Network connectivity and valid test credentials for authenticated comparison ## Workflow ### Step 1: Enumerate Hidden Directories and Files Use ffuf or Gobuster to discover paths not linked in the application's navigation. ```bash # Directory enumeration with ffuf ffuf -u https://target.example.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -mc 200,301,302,403 \ -fc 404 \ -o results-dirs.json -of json \ -t 50 -rate 100 # File enumeration with common extensions ffuf -u...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

Data & Documents Solid

dast-ffuf

Fast web fuzzer for DAST testing with directory enumeration, parameter fuzzing, and virtual host discovery. Written in Go for high-performance HTTP fuzzing with extensive filtering capabilities. Supports multiple fuzzing modes (clusterbomb, pitchfork, sniper) and recursive scanning. Use when: (1) Discovering hidden directories, files, and endpoints on web applications, (2) Fuzzing GET and POST parameters to identify injection vulnerabilities, (3) Enumerating virtual hosts and subdomains, (4) Testing authentication endpoints with credential fuzzing, (5) Finding backup files and sensitive data exposures, (6) Performing comprehensive web application reconnaissance.

335 Updated today
aiskillstore
Testing & QA Featured

performing-directory-traversal-testing

Testing web applications for path traversal vulnerabilities that allow reading or writing arbitrary files on the server by manipulating file path parameters.

13,115 Updated today
mukul975
AI & Automation Featured

file-path-traversal

Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code.

39,350 Updated today
sickn33
AI & Automation Solid

ffuf-web-fuzzing

Expert guidance for ffuf web fuzzing during penetration testing, including authenticated fuzzing with raw requests, auto-calibration, and result analysis

39,350 Updated today
sickn33
AI & Automation Featured

exploiting-server-side-request-forgery

Identifying and exploiting SSRF vulnerabilities to access internal services, cloud metadata, and restricted network resources during authorized penetration tests.

13,115 Updated today
mukul975