Speaker:: Brendan Dolan-Gavitt & Vincent Olesen Title:: Agents Exploiting "Auth-by-One" Errors Duration:: 18 min Video:: https://www.youtube.com/watch?v=996zolUsXog ## Key Thesis Authorization and authentication vulnerabilities are classically hard to automate because verification is ambiguous, but a technique called "auth transmogrifiation" — using an agent to translate requests between privilege contexts — combined with differential response validation allows agentic systems to reliably discover and verify authorization bypasses without requiring pre-planted CTF flags or manual setup. ## Synopsis Dolan-Gavitt (AI researcher at Expo, formerly NYU professor) and Olesen present their work on automated discovery of auth/authz bugs. They open by cataloging the diversity of auth mechanisms: HTTP Basic, OAuth 2.0, signed URLs, JWTs, OIDC, OAuth 1.0, Kerberos, magic links, session cookies, TOTP, LDAP — and most commonly, "custom auth" where developers rolled their own. With this diversity there's no viable classical validator. Their approach starts with an agent that has a browser and credentials. It logs in, then passes two validators: (1) is it actually logged in? and (2) has it reverse-engineered the auth mechanism well enough to translate browser state into raw API requests? These validators were hard to get right — the demos showed examples where an apparent "logged in" UI state was actually unauthenticated, and where a single API request in isolation gives no signal about whether authentication succeeded. They found the key is identifying places in the app with a clear contrast between logged-in and logged-out states. **Authentication bypass detection**: With robust login validators in place, bypass detection is simple — remove the password and try to log in. If the validators confirm success, that's an auth bypass. They demonstrate with a Horizon 3 bug where a hardcoded default JWT secret was in the source code; the agent reads the source, forges a session token using the hardcoded key, loads it into the browser, and the validator confirms admin access. MFA bypass uses the same approach: strip the second factor and let the validators determine if login succeeds. **Authorization bypass via auth transmogrifiation**: The harder and more interesting problem is authorization, not authentication. An admin browsing an app makes a request with an admin bearer token. The agent needs to replay that exact request from a low-privilege context — but a low-privilege user might never organically visit the admin interface to generate that request. "Auth transmogrifiation" is an agent-written script that takes a browser state (admin) and a URL and produces the equivalent correctly authenticated request for a different auth context (low-privilege user). This is auto-generated once and reused across all endpoints. With this script, the system can compare responses: admin context vs. low-privilege context. If the responses are identical, the endpoint is probably public (no authorization check) — that case is excluded from scope as it requires judgment. If the responses differ, that's a concrete goal for an attack agent: produce the admin-context response using only the low-privilege context. The validator knows what the admin response looks like (the "answer key") and can automatically verify success. This covers JWT forging, BOLA/IDOR at the authorization level, session expiration bugs, hardcoded tokens, and parameter bypass tricks (e.g., appending `?admin=1`). **Practical result on Redmine**: In a test instance, the agent was given endpoints showing differential responses between admin and low-privilege users. For a `/projects` endpoint showing one project as low-privilege and two as admin, the agent examined source code, found the `admin_projects=1` parameter bypass in five iterations, exploited it, and the validator confirmed success by comparing the project lists. The auth transmogrification script — auto-generated once — provided the test harness; built-in validation came from recording browser JavaScript requests as a test suite. Side mention of an unfixed vulnerability: translating a URL word from English to French in a CRM bypasses authorization and accesses any document. Details withheld pending fix (requires buying a beer). **Limitations**: Classical IDORs (e.g., accessing cart ID 5 vs. 7 as different users) don't show differential responses in their model and require judgment calls about whether responses should be public — out of scope for this technique. The approach is heavily dependent on the quality of the transmogrifiation script. ## Key Takeaways - "Auth transmogrifiation" — agent-generated script mapping browser state between privilege levels — is the key primitive enabling automated authz bypass testing - Differential response comparison between privilege contexts provides a verifiable, oracle-free ground truth for authorization vulnerabilities - Robust login validators (is it logged in? can it make the right API calls?) were hard to build but unlock significant offensive capability once working - False-positive-free exploitation: the validator holds the admin response as an answer key; the attack agent must produce it from low-privilege context - Works across: JWT forging, hardcoded secrets, session expiration, parameter bypasses, broken object-level authorization - Classical IDORs and public endpoints requiring judgment calls are explicitly out of scope for this technique ## Notable Quotes / Data Points - Auth transmogrifiation script written by an agent; inputs are browser state + URL; output is correctly authenticated request for alternate privilege context - Redmine vulnerability found in 5 agent iterations - Test suite for transmogrification script is auto-generated by recording browser JavaScript requests during exploration - Unfixed CRM bug: translating a URL word to French bypasses authorization — "bureau day vulnerability program: buy us a beer for details" - "Custom auth" is probably the most common auth mechanism in the world — developer writes their own, ships it - "We go from evil to diabolical" describing the jump from auth bypass to authz bypass #unprompted #claude