What is Authentication Bypass?

Authentication bypass is when someone can get to restricted-access resources (data, files, functionality, etc) without approval.

As an example, my gym has issued me with a membership card. Each time I visit, I have to run the card through a reader that checks it is still valid, not already used by someone inside the gym and then lets me enter. My photograph is also displayed briefly to the reception staff so they can check if the person with the card is the same as the member.

But my gym has recently introduced some security boxes—small lockable stores for valuable items such as wallets, mobile phones and keys—located in sight of reception staff. To use these, you give your card to reception, they issue you with a key for a box and manually override the entrance gate.

It's possible that in this procedure the are no longer checking the card is valid, or that the stored photograph matches the person with the card. This would allow unauthorised access to the gym by anyone with a found, stolen or borrowed membership card. Similarly, walking through an open fire-escape door would achieve this.

So, why is this an issue for web application security? Many web sites start out with everything being freely available. It's usually not long before user registration, newsletter sign-up or customer-only requirements turn up. These are often added on, without proper consideration of how the authorisation processes will be applied consistently and thoroughly across all resources. It is not uncommon to find a login screen that provides access to, say, file downloads that can be accessed without signing in.

So the first step should be to identify all resources which have to be protected, and what people or groups can access them, under what conditions.