Skip to content

NotChaosuu/authmap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
authmap
authmap
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

authmap

Point it at a login URL. It maps the entire auth flow — cookies, CSRF tokens, session handling, CORS, security headers — then checks for misconfigs.

One command. Zero dependencies. Built for bug bounty.

$ authmap https://demo.testfire.net/login.jsp

  target: https://demo.testfire.net/login.jsp

  tracing auth flow...
  [1] GET https://demo.testfire.net/login.jsp
  [2] OPTIONS https://demo.testfire.net/login.jsp (CORS check)
  done — 2 steps, 1 cookies

  running security checks...
  sending 8 requests... done
  testing 10 SQLi payloads on doLogin (uid/passw)... done
  testing 5 XSS canaries... done
  testing error disclosure... done

  ==================================================
    Auth: form-based (password field detected)
    CSRF: none detected
    Session cookie: JSESSIONID
    Cookies: 1

    ⚠ No CSRF protection detected
    ❌ Rate Limiting: No rate limiting after 8 requests
    ❌ SQL Injection (Auth Bypass): Possible auth bypass with:
       ' OR '1'='1' (redirect to main.jsp)
    ❌ Verbose Error Disclosure: Framework name leaked,
       Server version: Apache-Coyote/1.1
  ==================================================

What it does

Flow mapping (passive):

  • Follows the login page load → captures every cookie set, classifies each one (session, auth, csrf, tracking, cloudflare)
  • Extracts CSRF tokens from hidden form fields and meta tags
  • Maps form structure (fields, action URL, method)
  • Tests CORS configuration with a spoofed origin
  • Audits security headers (HSTS, CSP, X-Frame-Options, etc.)
  • Detects auth mechanism type (form-based, OAuth, SAML, JWT)

Security checks (active):

  • SQL injection auth bypass — tests 10 common SQLi payloads against the login form, detects bypass via redirect/content changes and catches leaked SQL errors
  • XSS reflection — sends canary strings through login fields, detects unescaped reflection (HTML break, script injection, template injection)
  • Rate limiting — sends rapid requests to test if the endpoint throttles login attempts
  • Error message disclosure — checks if different usernames produce different error messages (username enumeration)
  • Verbose error disclosure — sends malformed requests to trigger stack traces, framework names, server versions
  • HTTP methods — tests which methods the auth endpoint accepts (unexpected PUT/DELETE = misconfigured)
  • Password field autocomplete — checks if autocomplete is disabled

Install

pip install git+https://github.com/notchaosuu/authmap.git

or:

git clone https://github.com/notchaosuu/authmap.git
cd authmap
pip install -e .

Zero dependencies. Python 3.9+.

Usage

Full analysis (flow + security checks)

authmap https://target.com/login

Flow mapping only (no active checks)

authmap https://target.com/login --no-checks

Increase rate limit test intensity

authmap https://target.com/api/auth --rate-limit-count 20

Custom output directory

authmap https://target.com/login -o ./results

Custom User-Agent

authmap https://target.com/login --user-agent "MyApp/1.0"

Output

Results go to ./authmap_output/:

File Contents
domain_auth.md Full markdown report with tables, findings, and recommendations
domain_auth.json Structured data for piping into other tools or scripts

What this catches

Things authmap has found in the wild:

  • SQL injection auth bypass — login bypassed with ' OR '1'='1' -- (critical)
  • XSS via login form — input reflected unescaped in error pages
  • No rate limiting on login — credential stuffing wide open
  • CORS reflects arbitrary origin — can steal tokens cross-origin
  • Session cookies without Secure/HttpOnly flags — session hijacking via XSS or MITM
  • Different error messages per username — account enumeration
  • Missing CSRF protection — login CSRF attacks
  • Missing security headers — clickjacking, XSS, MIME sniffing
  • Verbose error disclosure — stack traces, framework names, server versions leaked
  • Unexpected HTTP methods accepted — PUT/DELETE on auth endpoint

For bug bounty

The markdown report is formatted for direct inclusion in HackerOne/Bugcrowd reports. Each finding includes the evidence (headers, cookies, response details) you need to prove the issue.

The JSON output pipes into custom scripts if you want to build automation on top of it:

# check if a target has rate limiting
authmap https://target.com/login --json-only 2>/dev/null | \
  python -c "import sys,json; d=json.load(open('authmap_output/target.com_auth.json')); \
  [print(c['name'],c['status']) for c in d['checks']]"

Responsible use

This tool sends a small number of requests to test for common misconfigurations. It does not attempt to break authentication or access accounts. Always ensure you have authorization before testing any target.

License

MIT

Author

ChaosuuTelegram · HackerOne · GitHub

About

Map authentication flows and find security misconfigs. SQLi auth bypass, XSS reflection, CSRF, CORS, rate limiting, security headers. Zero dependencies

Resources

Readme

License

View license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages