Authentication Bypass by Alternate Name
Description
Authentication Bypass by Alternate Name is a vulnerability that occurs when a product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but does not properly check all possible names for that resource or actor. Many systems allow resources to be referenced by multiple names - through URL encoding, case variations, Unicode representations, path traversal sequences, or file extension aliases. When authentication checks only validate one name representation but access is granted through an alternate representation of the same resource, attackers can bypass security controls.
Risk
Alternate name authentication bypass creates significant security risks because attackers can access protected resources simply by encoding or reformulating resource identifiers. URL encoding allows characters to be represented in multiple ways (%2F for /, %2e for .), enabling bypass of path-based access controls. Case insensitive file systems may allow access to ADMIN.PHP when admin.php is blocked. Unicode normalization issues can allow different character sequences to reference the same resource. Backslash encoding in web servers can bypass .aspx file restrictions. The risk is amplified because these bypasses often evade security monitoring since the alternate names may not match logging patterns or intrusion detection signatures.
Solution
Avoid making security decisions based solely on resource names when alternate names are possible. Implement canonicalization - decode and normalize all inputs to their canonical form before validation to prevent double-decoding and encoding attacks. Apply strict input validation using an "accept known good" approach with predefined acceptable inputs that conform to specifications. Resolve resource paths to absolute canonical forms before making access control decisions. Use framework-provided security mechanisms that handle canonicalization correctly. Implement allowlist validation rather than blocklist filtering of resource names. Test authentication with various encoding schemes including URL encoding, Unicode, double encoding, and case variations.
Common Consequences
| Impact | Details |
|---|---|
| Access Control | Scope: Access Control Attackers can circumvent intended security restrictions by using alternate naming conventions to reference protected resources. This bypasses authentication requirements, allowing unauthorized access to restricted functionality and sensitive data. |
Example Code
Vulnerable Code (Python/Web)
The following examples demonstrate authentication bypass by alternate name:
# Vulnerable: Path-based access control without canonicalization
from flask import Flask, request, abort
app = Flask(__name__)
# List of protected paths
PROTECTED_PATHS = ['/admin', '/admin/', '/api/admin']
@app.before_request
def check_protected_paths():
path = request.path
# Vulnerable: Only checks exact path matches
if path in PROTECTED_PATHS:
if not is_authenticated():
abort(401)
# Bypass: /admin -> allowed (exact match check)
# Bypass: /Admin -> bypasses check (case sensitive)
# Bypass: /admin%2f -> bypasses check (encoded /)
# Bypass: /./admin -> bypasses check (path traversal)
# Bypass: //admin -> bypasses check (double slash)
@app.route('/admin')
def admin_panel():
return render_template('admin.html')
// Vulnerable: File access control by extension
public class VulnerableFileAccess {
private static final List<String> RESTRICTED_EXTENSIONS =
Arrays.asList(".aspx", ".config", ".cs");
public boolean isAccessAllowed(String filename) {
// Vulnerable: Only checks lowercase extensions
for (String ext : RESTRICTED_EXTENSIONS) {
if (filename.endsWith(ext)) {
return false;
}
}
return true;
// Bypass: file.ASPX -> bypasses check (case)
// Bypass: file.aspx%00.txt -> bypasses check (null byte)
// Bypass: file.as%70x -> bypasses check (encoded 'p')
}
}
<?php
// Vulnerable: Username validation by alternate representation
function authenticate($username, $password) {
// Block admin login from web
if ($username === "admin") {
return false; // Admin blocked
}
// Vulnerable: Doesn't normalize username
return check_credentials($username, $password);
// Bypass: "Admin" -> bypasses check (case)
// Bypass: "admin " -> bypasses check (trailing space)
// Bypass: "аdmin" -> bypasses check (Cyrillic 'а')
}
// Vulnerable: Path access control
function is_restricted_path($path) {
$restricted = array('/etc/passwd', '/etc/shadow');
// Vulnerable: No canonicalization
return in_array($path, $restricted);
// Bypass: /etc/passwd -> blocked
// Bypass: /etc//passwd -> bypasses check
// Bypass: /etc/./passwd -> bypasses check
// Bypass: /etc/dummy/../passwd -> bypasses check
}
?>
Fixed Code (Python/Web)
# Fixed: Path-based access control with canonicalization
from flask import Flask, request, abort
import os
from urllib.parse import unquote
app = Flask(__name__)
PROTECTED_PATH_PREFIXES = ['/admin', '/api/admin']
def canonicalize_path(path):
"""Normalize path to canonical form"""
# URL decode
decoded = unquote(path)
# Handle double encoding
while decoded != unquote(decoded):
decoded = unquote(decoded)
# Normalize path separators and remove traversal
normalized = os.path.normpath(decoded)
# Convert to lowercase for case-insensitive comparison
normalized = normalized.lower()
# Remove multiple slashes
while '//' in normalized:
normalized = normalized.replace('//', '/')
return normalized
@app.before_request
def check_protected_paths():
# Fixed: Canonicalize before checking
canonical_path = canonicalize_path(request.path)
for protected in PROTECTED_PATH_PREFIXES:
if canonical_path.startswith(protected):
if not is_authenticated():
abort(401)
break
@app.route('/admin')
def admin_panel():
return render_template('admin.html')
// Fixed: File access control with proper normalization
import java.io.File;
import java.io.IOException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
public class SecureFileAccess {
private static final Set<String> RESTRICTED_EXTENSIONS =
Set.of(".aspx", ".config", ".cs", ".dll");
public boolean isAccessAllowed(String filename) throws IOException {
// Fixed: Decode URL encoding
String decoded = URLDecoder.decode(filename, StandardCharsets.UTF_8);
// Fixed: Handle double encoding
String prev;
do {
prev = decoded;
decoded = URLDecoder.decode(decoded, StandardCharsets.UTF_8);
} while (!decoded.equals(prev));
// Fixed: Remove null bytes
decoded = decoded.replace("\0", "");
// Fixed: Convert to lowercase for case-insensitive check
String lower = decoded.toLowerCase();
// Fixed: Check all extension variations
for (String ext : RESTRICTED_EXTENSIONS) {
if (lower.endsWith(ext)) {
return false;
}
}
// Fixed: Verify canonical path doesn't escape allowed directory
File file = new File(decoded);
String canonical = file.getCanonicalPath();
String allowedBase = new File("/var/www/public").getCanonicalPath();
if (!canonical.startsWith(allowedBase)) {
return false; // Path traversal attempt
}
return true;
}
}
<?php
// Fixed: Username validation with normalization
function authenticate($username, $password) {
// Fixed: Normalize username
$normalized = normalize_username($username);
// Block admin login from web
if ($normalized === "admin") {
return false;
}
return check_credentials($normalized, $password);
}
function normalize_username($username) {
// Trim whitespace
$username = trim($username);
// Convert to lowercase
$username = strtolower($username);
// Replace homoglyphs (Cyrillic, Greek letters that look like Latin)
$homoglyphs = array(
'а' => 'a', // Cyrillic а
'е' => 'e', // Cyrillic е
'о' => 'o', // Cyrillic о
// Add more as needed
);
$username = strtr($username, $homoglyphs);
return $username;
}
// Fixed: Path access control with canonicalization
function is_restricted_path($path) {
$restricted = array('/etc/passwd', '/etc/shadow');
// Fixed: Canonicalize path
$canonical = realpath($path);
if ($canonical === false) {
// Path doesn't exist or is invalid
return true; // Fail closed
}
return in_array($canonical, $restricted);
}
?>
The fix implements proper canonicalization including URL decoding, case normalization, path normalization, and homoglyph detection before making authentication decisions.
Exploited in the Wild
ASP.NET Authentication Bypass (Microsoft, 2004)
CVE-2004-0847 documented a .NET framework vulnerability allowing authentication bypass for restricted .aspx files via backslash encoding. Attackers used URL-encoded backslashes to bypass path-based access controls.
URL Encoding Bypass (Web Applications, Historical)
CVE-2003-0317 documented URL access restrictions bypassed using URL encoding. Attackers encoded path characters to evade authentication checks that only looked for unencoded paths.
Unicode Normalization Attacks (Various Systems, Ongoing)
Systems that don't properly handle Unicode normalization have been exploited using homoglyph attacks where visually similar Unicode characters bypass text-based authentication checks.
Tools to Test/Exploit
-
Burp Suite — Web security testing tool with encoding/decoding capabilities for testing alternate name bypasses.
-
OWASP ZAP — Security scanner with fuzzing capabilities for testing path variations.
-
Confusables — Unicode confusables tool for identifying homoglyphs.
CVE Examples
-
CVE-2003-0317 — URL access restrictions bypassed using URL encoding.
-
CVE-2004-0847 — .NET framework vulnerability allowing authentication bypass for restricted .aspx files via backslash encoding.
References
-
MITRE Corporation. "CWE-289: Authentication Bypass by Alternate Name." Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/289.html
-
OWASP Foundation. "Path Traversal." https://owasp.org/www-community/attacks/Path_Traversal
-
OWASP Foundation. "Input Validation Cheat Sheet." https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html