Secure Legion Labs
Labs / Authentication / Login Bypass

Broken Authentication Lab

Login Bypass

This room simulates a support login portal with a flawed recovery flow. The normal password check exists, but the fallback reset-token logic trusts any valid temporary token without confirming that the token belongs to the requested user.

ObjectiveAccess the admin dashboard without the admin passwordTrigger the broken fallback path and land on the protected area.
DifficultyMediumSimple once you see the auth bug, but realistic enough to teach why fallback logic is dangerous.
FlagUnlock on unauthorized admin accessThe flag appears only when the bypass lands you in the admin dashboard.
Request Model

How the login request works

The portal accepts a username, password, and a temporary recovery token. A normal user can log in with their real password, but the challenge is to abuse the flawed recovery logic to reach the admin account.

  • Usernameadmin
  • Passwordwrong or unknown
  • Recovery TokenTEMP-*
Hint: The weakest part of many auth systems is not the normal password flow. It is the fallback logic wrapped around it. Look for where trust shifts during recovery handling.
Broken Logic

What the application gets wrong

The temporary token branch only checks whether a token is valid somewhere in the system. It never verifies that the token belongs to the same username the attacker is trying to log into.

if (user.password === password) { login(user) }
else if (validResetToken(token)) { login(user) }
// missing token.userId === user.id
Login Console

Submit a login request

Try normal credentials first, then pivot into the fallback token flow and see what the portal allows.

Current request: POST /api/login
{ "status": "idle" }
Observed note: Support desk logs suggest that temporary recovery tokens are issued in a predictable internal format and may be reused across requests.
Session preview
Dashboard Output

Rendered result

The portal shows whichever dashboard the flawed authentication logic allows through. The win condition is unauthorized access to the admin view.

No session established.

Status: waiting for a login request.

Flag Unlock

Challenge flag

The flag appears once the bypass reaches the admin dashboard without using the admin password.

Flag:
Submit Flag

Validate completion

Submit the unlocked flag to complete the login bypass room.

Flag is locked until you reach the admin dashboard through the flawed auth path.

Execution Path

How the login bypass happens here

1. Read login input

The portal accepts a username, password, and optional recovery token.

2. Fail password path

The attacker does not need the correct admin password if the fallback path is weaker.

3. Trust shared recovery token

A valid token from another account still logs in the requested user because ownership is never checked.