Authentication Bypass

Architect's Tech Stack

Jun 2, 2021 · Backend Development

Spring Boot %2e Path Normalization Trick and Authentication Bypass in Versions ≤2.3.0.RELEASE

The article explains how Spring Boot versions up to 2.3.0.RELEASE normalize request paths—including decoding %2e and handling directory traversal—which can be exploited to bypass authentication, and shows the code differences that cause this behavior in newer releases.

Authentication BypassInterceptorJava

0 likes · 9 min read

Spring Boot %2e Path Normalization Trick and Authentication Bypass in Versions ≤2.3.0.RELEASE

Architecture Digest

Jan 18, 2021 · Information Security

Authentication Bypass Vulnerability in Nacos 1.4.1 (User‑Agent and Server Identity)

The article analyzes a bypass flaw in Nacos 1.4.1 where the serverIdentity key‑value authentication can be evaded by crafting URLs with a trailing slash, allowing attackers to list, create, and log in as users despite the intended security checks.

Authentication BypassNacosSecurity Vulnerability

0 likes · 8 min read

Authentication Bypass Vulnerability in Nacos 1.4.1 (User‑Agent and Server Identity)

Java Architecture Diary

Jan 15, 2021 · Information Security

How to Exploit and Patch the Nacos Authentication Bypass Vulnerability (v1.2‑v1.4)

This article explains the Nacos authentication bypass vulnerability affecting versions 1.2‑1.4, how attackers can exploit whitelist headers to gain unauthorized access, the widespread exposure revealed by Zoomeye scans, and the official remediation steps including upgrading to v1.4.1 and disabling the UA whitelist.

Authentication BypassNacosSecurity Vulnerability

0 likes · 3 min read

How to Exploit and Patch the Nacos Authentication Bypass Vulnerability (v1.2‑v1.4)