Auth Bypass in Sails

Auth bypass in Sails applications typically exploits the framework's flexible authentication middleware and policy system. The most common patterns involve bypassing Sails policies, exploiting weak session management, or manipulating request objects before authentication checks occur.

One prevalent attack vector targets Sails's policy configuration. Developers often misconfigure policies in config/policies.js, accidentally allowing public access to sensitive controllers or actions. For example, a policy that should protect all admin routes might be incorrectly applied at the controller level instead of the action level, leaving specific admin actions exposed.

// Vulnerable policy configuration
module.exports.policies = {
  AdminController: {
    '*': true,           // Accidentally allows all actions
    'deleteUser': 'isAuthenticated'
  }
}

Another common Sails-specific bypass involves manipulating the request object before authentication middleware executes. Since Sails uses Express under the hood, attackers can craft requests that exploit timing issues or middleware ordering. For instance, if authentication middleware isn't properly registered as global middleware, attackers can send requests that bypass authentication entirely.

Session fixation attacks are particularly effective against Sails applications. The framework's default session configuration may not regenerate session IDs after login, allowing attackers to fixate sessions and maintain unauthorized access. Additionally, Sails's default use of skipper for body parsing can be exploited if content-type headers are manipulated to bypass authentication checks.

Parameter pollution attacks also work well against Sails's flexible routing. By sending multiple values for authentication parameters (like ?id=1&id=2), attackers can sometimes confuse the request handling logic and bypass authorization checks that rely on parameter values.

Detecting auth bypass vulnerabilities in Sails requires examining both configuration and runtime behavior. Start by auditing your config/policies.js file for overly permissive configurations. Look for policies that allow true or '*' access to sensitive controllers, or policies that are missing entirely for admin-level functionality.

Runtime detection involves monitoring authentication middleware execution order. In Sails, middleware is configured in config/http.js. Verify that authentication middleware runs before any route handling that requires authorization. The correct order should be: session middleware → authentication middleware → route handlers.

// Correct middleware order in config/http.js
module.exports.http = {
  middleware: {
}

middleBrick's black-box scanning approach is particularly effective for detecting Sails auth bypass vulnerabilities. The scanner tests unauthenticated endpoints against known bypass patterns without requiring access credentials. It examines how Sails handles authentication headers, session cookies, and parameter manipulation.

For Sails applications, middleBrick specifically checks for:

• Policy bypass attempts through malformed requests
• Session fixation vulnerabilities by testing session ID handling
• Parameter pollution attacks on authentication endpoints
• Middleware ordering issues by testing request timing
• Default configuration vulnerabilities in Sails's built-in authentication

The scanner's 12 parallel security checks include authentication-specific tests that probe Sails's policy system and middleware stack. Since middleBrick requires no credentials or agents, you can scan your staging environment to catch auth bypass vulnerabilities before production deployment.

Remediating auth bypass vulnerabilities in Sails requires a defense-in-depth approach. Start with proper policy configuration in config/policies.js. Always use the most restrictive policies possible and explicitly deny access to sensitive actions.

// Secure policy configuration
module.exports.policies = {
  '*': 'isAuthenticated',           // Require auth for all controllers
    '*': 'isAdmin',                // Only admins for admin controller
}

Implement proper session management by configuring Sails to regenerate session IDs after authentication. In config/session.js, set appropriate session security options:

module.exports.session = {
  secret: process.env.SESSION_SECRET,
  key: 'sails.sid',
  cookie: {
}

Use Sails's built-in middleware system correctly by ensuring authentication middleware executes before any route handling. Create a dedicated authentication policy that validates all authentication requirements:

// api/policies/authenticated.js
module.exports = function (req, res, next) {
  if (req.isAuthenticated()) {
}

For parameter validation, use Sails's validation system to prevent parameter pollution attacks. Define strict parameter schemas in your models:

// api/models/User.js
module.exports = {
  attributes: {
}

Implement rate limiting at the Sails application level to prevent brute-force authentication bypass attempts. Use Sails's built-in rate limiting or integrate with Express middleware:

// config/http.js
module.exports.http = {
  middleware: {
}

Finally, integrate continuous security scanning into your Sails development workflow. The middleBrick GitHub Action can automatically scan your Sails API endpoints in CI/CD pipelines, failing builds if auth bypass vulnerabilities are detected. This ensures auth bypass issues are caught before deployment.