hunt-auth-bypass
This skill aids in identifying authentication bypass vulnerabilities through detailed methodologies and target signals.
Install this skill
Security score
The hunt-auth-bypass skill was audited on Jun 10, 2026 and we found 23 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 159 | curl -s -X POST https://target.com/xmlrpc.php \ |
Curl to non-GitHub URL
| 168 | curl -s -X POST https://target.com/xmlrpc.php \ |
Curl to non-GitHub URL
| 210 | TOKEN=$(curl -s -X POST https://partners.target.com/login \ |
Curl to non-GitHub URL
| 215 | curl -s https://admin.target.com/dashboard \ |
Base64 decode operation
| 186 | saml_xml = base64.b64decode(saml_b64).decode() |
Base64 decode operation
| 192 | print(base64.b64encode(stripped.encode()).decode()) |
Base64 decode operation
| 224 | header = base64.b64encode(json.dumps({"alg":"none","typ":"JWT"}).encode()).decode().rstrip('=') |
Base64 decode operation
| 225 | payload = base64.b64encode(json.dumps({"user_id":1,"role":"admin","email":"[email protected]"}).encode()).decode().rstrip('=') |
External URL reference
| 45 | Location: https://idp.company.com/saml |
External URL reference
| 159 | curl -s -X POST https://target.com/xmlrpc.php \ |
External URL reference
| 168 | curl -s -X POST https://target.com/xmlrpc.php \ |
External URL reference
| 204 | <NameID xmlns:evil="http://evil.com">[email protected]</NameID> |
External URL reference
| 210 | TOKEN=$(curl -s -X POST https://partners.target.com/login \ |
External URL reference
| 215 | curl -s https://admin.target.com/dashboard \ |
External URL reference
| 324 | 5. **GitHub Enterprise Server — SAML XSW via parser differential (CVE-2025-25291/25292)** ([H1 #2579939](https://hackerone.com/reports/2579939) · [Blog](https://github.blog/security/sign-in-as-anyone- |
External URL reference
| 330 | 6. **GitHub Enterprise — SAML signature bypass on encrypted assertions (CVE-2024-4985)** ([H1 #2475347](https://hackerone.com/reports/2475347) · [ProjectDiscovery advisory](https://projectdiscovery.io |
External URL reference
| 336 | 7. **Uber — SAML auth bypass on `uchat.uberinternal.com`** ([H1 #223014](https://hackerone.com/reports/223014)) |
External URL reference
| 342 | 8. **Uber — OneLogin SSO bypass via WordPress XMLRPC** ([H1 #138869](https://hackerone.com/reports/138869)) |
External URL reference
| 348 | 9. **Slack — SAML "confused-deputy" assertion reuse** ([Writeup](http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html)) |
External URL reference
| 354 | 10. **HackerOne — SAML signup domain enforcement bypass via control characters** ([H1 #2101076](https://hackerone.com/reports/2101076)) |
External URL reference
| 360 | 11. **8x8 / Jitsi-Meet — JWT alg-confusion (asymmetric verifier accepts symmetric alg)** ([H1 #1210502](https://hackerone.com/reports/1210502)) |
External URL reference
| 366 | 12. **Argo CD (Internet Bug Bounty) — JWT audience claim not validated (CVE-2023-22482)** ([H1 #1889161](https://hackerone.com/reports/1889161)) |
External URL reference
| 394 | **Hardening reference:** [docs.duendesoftware.com/bff/fundamentals/session/handlers](https://docs.duendesoftware.com/bff/fundamentals/session/handlers/), [nestenius.se BFF cookie guide](https://nesten |