Authentication & Authorisation Hacking Labs
Auth bugs make up some of the highest-impact vulnerabilities in modern apps. These labs cover the patterns you'll see in real bug bounty reports: IDOR via predictable IDs, JWT signature bypass via alg=none, OAuth state-parameter abuse for account takeover, mass assignment self-promotion to admin, and predictable password reset tokens.
Authorisation bugs are everywhere in production code because they require explicit checks at every endpoint, and developers regularly miss them. These labs let you exploit the exact patterns that show up in bug bounty programs — sequential ID enumeration, weak JWT verification, OAuth flows missing state validation, registration forms allowing privileged-field assignment, and reset tokens with predictable structure. Each one fully solveable in your browser with no infrastructure setup.
IDOR — Sequential Document IDs
DocuShare uses sequential numeric IDs for documents and only checks that you're logged in — not that you own the doc you're viewing. Find a way to read a document that isn't yours.
JWT — None Algorithm Bypass
InvoiceCloud uses JWTs for authentication. The library accepts the algorithm specified in the token header — including 'none'. Forge a token to impersonate the admin.
Mass Assignment — Self-Promote to Admin
QuickStart's signup form takes the new user's data as JSON and copies every field into the User record. The form normally only sends username/email/password — but the backend has no field whitelist. Become admin at signup.
OAuth — Missing State Parameter (Account Takeover)
ConnectApp lets users link their Twitter account via OAuth. The client never sets the 'state' parameter on the authorization request — and never verifies it on the callback. Use that to link the victim's session to YOUR Twitter account.
OAuth — Open Redirect on redirect_uri
AuthHub validates the OAuth redirect_uri with a substring match — 'must contain trustedclient.com'. The check is naive. Find a redirect_uri that passes the check but ships the OAuth code to your attacker domain.
Password Reset — Predictable Token
OldMail's password reset uses a token that's just the user's ID + the current timestamp, base64-encoded. Reset the admin's password by guessing the token.
JWT — Algorithm Confusion (RS256 → HS256)
AuthBox issues JWTs signed with RS256 (asymmetric — private key signs, public key verifies). The verifier blindly trusts the alg header. Forge an HS256 token using the public key as the HMAC secret — the verifier will accept it.