Recently bypassed an auth with a simple trick: 1. GET site.bruh/private => 405
(homepage was just showing "Working", opened page source, got a js file, grep all endpoints using linkfinder from js file) 2. POST site.bruh/private => 500 error: "Expected JSON body"
3. POST site.bruh/private
{} => 500 error: missing auth_key
4. POST site.bruh/private
{"auth_key":"123"} => 403
After many trials and errors (passing random values, special characters, adding commonly used tricks to bypass 403, like headers etc, nothing worked)
I was about to give up, but then i remembered a technique i used in a ctf few months ago:
POST site.bruh/private
{"auth_key":true}
200 OK
And I was able to see the content of that private file, and could access almost every endpoint mentioned in that js file. (yeah did fuzzing too :)))