Skip to content

NexusBrute v2.6.0 - Authentication Bypass Tester

Latest
Latest

Choose a tag to compare

View all tags
@PicoBaz PicoBaz released this 06 Jan 07:43
· 1 commit to master since this release
v2.6.0
5c1d521

⭐ What's New

πŸ” Authentication Bypass Tester Module

Professional authentication security testing with 5 attack categories:

Core Capabilities:

1. Default Credentials Testing

  • 20 common username/password combinations
  • Includes: admin:admin, root:root, administrator, guest, etc.
  • Automatic success detection
  • CRITICAL severity classification

2. Session Fixation

  • Tests pre-set session ID acceptance
  • Session regeneration validation
  • HIGH severity vulnerabilities

3. Cookie Manipulation

  • 8 bypass techniques:
    • admin=true, isAdmin=1
    • role=admin, user_type=admin
    • authenticated=true, logged_in=1
    • auth=1, is_authenticated=true
  • HIGH severity classification

4. JWT Token Manipulation

  • None Algorithm Attack (signature removal)
  • Role manipulation (elevate to admin)
  • User ID tampering
  • CRITICAL severity vulnerabilities

5. Password Reset Testing

  • Token reusability
  • Predictable token detection
  • Empty token bypass
  • CRITICAL severity

Key Features:

  • 🎯 30+ attack techniques across 5 categories
  • πŸ” Selective test execution
  • πŸ“Š Severity-based classification
  • ⚑ Real-time progress tracking
  • πŸ“ Detailed vulnerability reports
  • πŸ’Ύ JSON and CSV export

πŸ”§ Configuration

{
  "authBypass": {
    "targetUrl": "https://example.com/login",
    "passwordResetUrl": "https://example.com/reset-password",
    "jwtToken": "",
    "tests": ["all"],
    "delay": 500,
    "useProxy": false
  }
}

Test Options:

  • "all" - Run all tests
  • "default_credentials" - Default creds only
  • "session_fixation" - Session testing only
  • "cookie_manipulation" - Cookie bypass only
  • "jwt_manipulation" - JWT testing only
  • "password_reset" - Reset vulnerabilities only

πŸ“Š Example Output

πŸ” Authentication Bypass Tester Started
================================================================
Target: https://example.com/login
Tests: all

πŸ” Testing Default Credentials...
βœ— VULNERABLE: admin:admin - Status: 200
βœ— VULNERABLE: root:root - Status: 200

πŸ” Testing Session Fixation...
βœ— VULNERABLE: Session ID not regenerated

πŸ” Testing Cookie Manipulation...
βœ— VULNERABLE: admin=true

πŸ” Testing JWT Token Manipulation...
βœ— VULNERABLE: None Algorithm

πŸ“Š Authentication Bypass Summary
================================================================
⚠️  Total Vulnerabilities: 5

defaultCredentials:
  β€’ DEFAULT_CREDENTIALS (CRITICAL)
sessionFixation:
  β€’ SESSION_FIXATION (HIGH)
cookieManipulation:
  β€’ COOKIE_MANIPULATION (HIGH)
jwtManipulation:
  β€’ JWT_MANIPULATION (CRITICAL)

Time elapsed: 12.34s

πŸ’‘ Use Cases

  • Penetration Testing: Identify auth weaknesses
  • Security Audits: Validate authentication mechanisms
  • Bug Bounty: Find authentication bypasses
  • Compliance: Meet security testing requirements
  • DevOps: Integrate into CI/CD pipelines

πŸ“¦ Complete Feature Set (14 Modules)

  1. Smart Brute Force
  2. Password Generator
  3. Rate Limit Checker
  4. Wordlist Optimizer
  5. API Fuzzer
  6. SQL Injection Tester
  7. DDoS Tester
  8. JWT Analyzer
  9. Header Injection Tester
  10. WebSocket Security Tester
  11. Subdomain Enumerator
  12. Multi-Target Campaign Manager
  13. SSL/TLS Analyzer
  14. Authentication Bypass Tester ⭐ NEW!

πŸš€ Installation & Upgrade

New Installation:

git clone https://github.com/PicoBaz/NexusBrute.git
cd NexusBrute
npm install axios chalk ws
node index.js

Upgrade from v2.5.0:

git pull origin main

Add to config.json:

{
  "authBypass": {
    "targetUrl": "https://example.com/login",
    "tests": ["all"]
  }
}

πŸ” What It Detects

CRITICAL:

  • Default credentials acceptance
  • JWT None Algorithm bypass
  • Password reset token issues

HIGH:

  • Session fixation vulnerabilities
  • Cookie-based authentication bypass

Attack Techniques:

  • 20 default credential combinations
  • 8 cookie manipulation methods
  • 3 JWT manipulation attacks
  • Session regeneration testing
  • Password reset exploitation

πŸ“ˆ Benefits

  • ⚑ Fast Testing: 30+ techniques in seconds
  • 🎯 Comprehensive: Covers all major auth vulnerabilities
  • πŸ“Š Detailed Reports: JSON/CSV with severity levels
  • πŸ”’ Best Practices: Aligned with OWASP standards
  • πŸ’Ύ Automation Ready: Perfect for CI/CD

⚠️ Legal Notice

FOR AUTHORIZED TESTING ONLY. Obtain explicit permission before testing.

πŸ“ž Contact

Full Changelog: v2.5.0...v2.6.0

Use Responsibly. Test Ethically. Secure Everything. 🌌

Made with ❀️ by @PicoBaz

Assets 2
Loading