How a Single Authorization Header Bypassed Authentication and Earned a $3,000 Bounty

1. Discovery Process

During a penetration test, researcher ALR (\@0xalr) enumerated subdomains of a target and noticed a subdomain that redirected immediately to a login page. Before the redirect completed, he inspected the page source and downloaded a JavaScript file that listed many API endpoints.

Using Burp Suite, he sent requests to each extracted endpoint. All responses returned 401 Unauthorized, suggesting the authentication mechanism appeared to work correctly.

2. Key Turning Point

Instead of brute‑forcing credentials, ALR returned to the JavaScript code to trace the authentication logic. He found the following snippet:

a1&&n1.set(
    "Authorization",
    "Basic " +
    btoa(
        (a1.username || "") + ":" +
        (a1.password ? unescape(encodeURIComponent(a1.password)) : "")
    )
);

The code shows the application builds an HTTP Basic Authorization header by Base64‑encoding username:password and placing it in the Authorization request header.

3. Insight

After failing to locate any valid credentials, ALR hypothesised: "What if the backend only checks whether the Authorization header exists, without validating its contents?" He tested this by sending a request that contained only the header name: Authorization: Basic The result was shocking: every API endpoint responded as if the request were authenticated.

4. Vulnerability Impact

From the JavaScript file ALR extracted nearly 50 API endpoints, all of which could be accessed simply by sending the header Authorization: Basic. The affected operations include:

Viewing, creating, modifying, and deleting customer data

Accessing internal system configuration

No valid username or password is required; the mere presence of the header is enough to bypass authentication. The issue was rated Critical, and ALR received a $3,000 bounty.

5. Root Cause Analysis

The fundamental flaw is that the server validates only the existence of the Authorization header, never checking the actual credentials encoded within it. Consequently, any request containing Authorization: Basic is mistakenly treated as authenticated, allowing full access to protected resources.

6. Takeaways

Never assume authentication is correctly implemented : A system that returns 401 can still be vulnerable if it only checks header presence.

JavaScript is a goldmine for information : Front‑end code often reveals API endpoints, authentication logic, and parameter formats.

Question every assumption : When credential gathering fails, revisit the underlying authentication mechanism.

In web security, the most dangerous bugs are often simple logic errors like "any header grants access" rather than complex zero‑day chains.