A passwordless login system where a user enters their email, the site emails a short-lived redirect link (30 seconds) plus an 8-digit one-time code (OTP).

Security research and vulnerability analysis from HackerOne bug bounty programs. Contains exploitation techniques, proof-of-concept code, and reports for fintech platforms and API gateways. Includes Python/Bash scripts, authentication bypasses, CORS exploits, IDOR vulnerabilities, and API security testing documentation.

渗透测试有关的POC、EXP、脚本、提权、小工具等---About penetration-testing python-script poc getshell csrf xss cms php-getshell domainmod-xss csrf-webshell cobub-razor cve rce sql sql-poc poc-exp bypass oa-getshell cve-cms

🛡️ Web Penetration Testing is the process of testing websites or web apps for security flaws. 🔍 It helps find vulnerabilities like SQL injection, XSS, and authentication bypass. 🚨 Used to protect data, improve security, and prevent hacking attacks.

A security PoC demonstrating how a public form with an embedded API key can bypass backend authentication, allowing attackers to access protected Express endpoints without credentials.

Intentionally vulnerable captive portal lab for wireless security training. Demonstrates session hijacking, authentication bypass, and network security vulnerabilities. Docker containerized for safe, isolated learning environments. FOR EDUCATIONAL USE ONLY.

Intentionally vulnerable web application for security training. Modular design with SQLi, XSS, auth bypass, and file upload vulnerabilities. Docker containerized for safe, isolated learning environments. FOR EDUCATIONAL USE ONLY.

Docker patches to disable authentication popup modals for Sonarr and Radarr while using external authentication (Authentik, Authelia, etc.)

PoC for CVE-2025-5777 – Auth Bypass and RCE in Trend Micro Apex Central

Authentication Bypass PoC for CVE-2025-2825 – Exploiting CrushFTP 10.x

This repository demonstrates a privilege escalation attack targeting Open5GS's WebUI, exploiting unauthenticated database connections and forged session cookies/JWT tokens. The analysis reveals critical vulnerabilities in authentication mechanisms, offering insights for securing 5G network components.

Reverse engineered ChatGPT client for authentication-free access

NextSploit is a command-line tool designed to detect and exploit CVE-2025-29927, a security flaw in Next.js

A stealth SSH backdoor leveraging PAM shared object (.so) injection to bypass authentication and gain SSH access.

Authentication Bypass Vulnerability — CVE-2024–4358 — Telerik Report Server 2024

This repository details an IDOR vulnerability in AbsysNet 2.3.1, which allows a remote attacker to brute-force session IDs via the /cgi-bin/ocap/ endpoint. Successful exploitation can compromise active user sessions, exposing authentication tokens in HTML. The attack is limited to active sessions and is terminated if the user logs out.

WARNING: This is a vulnerable application to test the exploit for the Really Simple Security < 9.1.2 authentication bypass (CVE-2024-10924). Run it at your own risk!

It is a simple password brute force tool designed for ethical hacking and security testing. Automates the process of selecting passwords for a given user on a website by sending POST requests with different passwords and analyzing the response.

A Python tool for decrypting passwords hashed with the AuthMe SHA256 algorithm. Ideal for penetration testing and security audits on Minecraft servers using the AuthMe authentication plugin.

Apache Superset - Authentication Bypass