Skip to main content
Glama
enesjakozh
ricauts

CyberMCP

by ricauts
OverviewInspectSchemaRelated ServersScoreDiscussions
TypeScript
Hybrid

auth_bypass_check

Automatically detect authentication bypass vulnerabilities in API endpoints by testing various authentication mechanisms, headers, and session configurations on CyberMCP.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
auth_headerNoAuthentication header name (if different from standard)
auth_tokenNoAuthentication token (if not using the currently authenticated session)
endpointYesAPI endpoint to test
http_methodNoHTTP method to useGET
use_session_authNoWhether to use the current session authentication if available

Implementation Reference

  • src/tools/authentication.ts:362-478 (handler)
    The handler function that performs the auth_bypass_check tool logic. It tests the specified endpoint with different authentication states (no auth, invalid token, empty token, valid auth) using axios requests and evaluates if the endpoint is vulnerable to authentication bypass by checking status codes and response equality.
    async ({ endpoint, auth_header, auth_token, http_method, use_session_auth }) => { const results = []; const authManager = AuthManager.getInstance(); const currentAuthState = authManager.getAuthState(); const hasCurrentAuth = currentAuthState.type !== 'none' && use_session_auth; try { // Test 1: No authentication const noAuthResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, validateStatus: () => true, // Accept any status code }); results.push({ test: "No Authentication", status: noAuthResponse.status, vulnerable: noAuthResponse.status < 400, // Vulnerable if not returning 4xx error details: `Response without authentication returned status code ${noAuthResponse.status}`, }); // Test 2: Invalid token const headerName = auth_header || "Authorization"; const invalidTokenResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, headers: { [headerName]: "Bearer invalid_token_here", }, validateStatus: () => true, }); results.push({ test: "Invalid Token", status: invalidTokenResponse.status, vulnerable: invalidTokenResponse.status < 400, details: `Response with invalid token returned status code ${invalidTokenResponse.status}`, }); // Test 3: Empty token const emptyTokenResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, headers: { [headerName]: "", }, validateStatus: () => true, }); results.push({ test: "Empty Token", status: emptyTokenResponse.status, vulnerable: emptyTokenResponse.status < 400, details: `Response with empty token returned status code ${emptyTokenResponse.status}`, }); // Test 4: If we have current auth or a provided token, test with valid auth if (hasCurrentAuth || auth_token) { let authHeaders = {}; if (hasCurrentAuth) { authHeaders = authManager.getAuthHeaders(); } else if (auth_token) { authHeaders = { [headerName]: `Bearer ${auth_token}`, }; } const validAuthResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, headers: authHeaders, validateStatus: () => true, }); results.push({ test: "Valid Authentication", status: validAuthResponse.status, authorized: validAuthResponse.status < 400, details: `Response with valid authentication returned status code ${validAuthResponse.status}`, }); // Check if we get the same response with and without auth const authBypassRisk = noAuthResponse.status === validAuthResponse.status && noAuthResponse.status < 400 && JSON.stringify(noAuthResponse.data) === JSON.stringify(validAuthResponse.data); if (authBypassRisk) { results.push({ test: "Authentication Effectiveness", vulnerable: true, details: "CRITICAL: Endpoint returns the same response with and without authentication. Authentication may be ineffective.", }); } } return { content: [ { type: "text", text: `Authentication Bypass Test Results for ${endpoint}:\n\n${results.map(r => `Test: ${r.test}\n${r.status ? `Status: ${r.status}\n` : ''}${r.vulnerable !== undefined ? `Vulnerable: ${r.vulnerable}\n` : ''}${r.authorized !== undefined ? `Authorized: ${r.authorized}\n` : ''}Details: ${r.details}\n` ).join("\n")}`, }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error testing authentication bypass: ${(error as Error).message}`, }, ], }; } }
  • src/tools/authentication.ts:355-361 (schema)
    Input schema for the auth_bypass_check tool using Zod validation, defining parameters like endpoint, optional auth details, HTTP method, and use of session auth.
    { endpoint: z.string().url().describe("API endpoint to test"), auth_header: z.string().optional().describe("Authentication header name (if different from standard)"), auth_token: z.string().optional().describe("Authentication token (if not using the currently authenticated session)"), http_method: z.enum(["GET", "POST", "PUT", "DELETE", "PATCH"]).default("GET").describe("HTTP method to use"), use_session_auth: z.boolean().default(true).describe("Whether to use the current session authentication if available"), },
  • src/tools/authentication.ts:352-479 (registration)
    Registers the auth_bypass_check tool with the MCP server inside the registerAuthenticationTools function, including schema and handler.
    // Test for authentication bypass server.tool( "auth_bypass_check", { endpoint: z.string().url().describe("API endpoint to test"), auth_header: z.string().optional().describe("Authentication header name (if different from standard)"), auth_token: z.string().optional().describe("Authentication token (if not using the currently authenticated session)"), http_method: z.enum(["GET", "POST", "PUT", "DELETE", "PATCH"]).default("GET").describe("HTTP method to use"), use_session_auth: z.boolean().default(true).describe("Whether to use the current session authentication if available"), }, async ({ endpoint, auth_header, auth_token, http_method, use_session_auth }) => { const results = []; const authManager = AuthManager.getInstance(); const currentAuthState = authManager.getAuthState(); const hasCurrentAuth = currentAuthState.type !== 'none' && use_session_auth; try { // Test 1: No authentication const noAuthResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, validateStatus: () => true, // Accept any status code }); results.push({ test: "No Authentication", status: noAuthResponse.status, vulnerable: noAuthResponse.status < 400, // Vulnerable if not returning 4xx error details: `Response without authentication returned status code ${noAuthResponse.status}`, }); // Test 2: Invalid token const headerName = auth_header || "Authorization"; const invalidTokenResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, headers: { [headerName]: "Bearer invalid_token_here", }, validateStatus: () => true, }); results.push({ test: "Invalid Token", status: invalidTokenResponse.status, vulnerable: invalidTokenResponse.status < 400, details: `Response with invalid token returned status code ${invalidTokenResponse.status}`, }); // Test 3: Empty token const emptyTokenResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, headers: { [headerName]: "", }, validateStatus: () => true, }); results.push({ test: "Empty Token", status: emptyTokenResponse.status, vulnerable: emptyTokenResponse.status < 400, details: `Response with empty token returned status code ${emptyTokenResponse.status}`, }); // Test 4: If we have current auth or a provided token, test with valid auth if (hasCurrentAuth || auth_token) { let authHeaders = {}; if (hasCurrentAuth) { authHeaders = authManager.getAuthHeaders(); } else if (auth_token) { authHeaders = { [headerName]: `Bearer ${auth_token}`, }; } const validAuthResponse = await axios({ method: http_method.toLowerCase(), url: endpoint, headers: authHeaders, validateStatus: () => true, }); results.push({ test: "Valid Authentication", status: validAuthResponse.status, authorized: validAuthResponse.status < 400, details: `Response with valid authentication returned status code ${validAuthResponse.status}`, }); // Check if we get the same response with and without auth const authBypassRisk = noAuthResponse.status === validAuthResponse.status && noAuthResponse.status < 400 && JSON.stringify(noAuthResponse.data) === JSON.stringify(validAuthResponse.data); if (authBypassRisk) { results.push({ test: "Authentication Effectiveness", vulnerable: true, details: "CRITICAL: Endpoint returns the same response with and without authentication. Authentication may be ineffective.", }); } } return { content: [ { type: "text", text: `Authentication Bypass Test Results for ${endpoint}:\n\n${results.map(r => `Test: ${r.test}\n${r.status ? `Status: ${r.status}\n` : ''}${r.vulnerable !== undefined ? `Vulnerable: ${r.vulnerable}\n` : ''}${r.authorized !== undefined ? `Authorized: ${r.authorized}\n` : ''}Details: ${r.details}\n` ).join("\n")}`, }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error testing authentication bypass: ${(error as Error).message}`, }, ], }; } } );
  • src/tools/index.ts:13-13 (registration)
    Top-level registration call that invokes registerAuthenticationTools, thereby registering the auth_bypass_check tool among authentication tools.
    registerAuthenticationTools(server);

This server cannot be installed

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/ricauts/CyberMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server