online / endpoints 59 / categories 14 / rate 60/min/ip /
catastrophic.io /chaos

Authentication

401 challenges with configurable WWW-Authenticate schemes.

GET /auth

Returns 401 with WWW-Authenticate challenges that contradict each other, omit required attributes, violate quoting rules, or use undefined schemes. Tests how auth clients cope when the challenge itself is broken.

mode multiple-challenges (default; Basic + Bearer + Digest with three different realms), malformed-digest (Digest scheme with no nonce/qop/opaque), unquoted-realm (realm value not quoted, RFC 9110 violation), nonexistent-scheme (challenge uses an undefined auth scheme).

details

GET /auth-required

Returns 401 with a WWW-Authenticate challenge when no Authorization header is present. If any Authorization header is sent — regardless of its value — returns 200. This lets clients exercise the full challenge-response cycle without needing real credentials.

scheme Challenge scheme: basic, bearer, digest, or none. Default: basic. The none value returns 401 with no WWW-Authenticate header, which is a real-world bug in some servers.
realm Realm value for the challenge. Sanitized to [a-zA-Z0-9._- ] and capped at 64 chars. Default: catastrophic.io.

details

GET /jwt

Returns 200 with a JWT the server claims to have accepted, demonstrating broken token-validation logic. The chaos is server acceptance of tokens that should be rejected. Default accepts alg:none tokens with no signature.

mode Which validation flaw to demonstrate. One of: alg-none-accepted (default; accepts a token with alg:none and no signature), alg-confusion (accepts HS256 when RS256 expected; public key used as HMAC secret), kid-path-traversal (kid contains ../../../etc/passwd; key loaded without sanitizing the path), exp-vs-nbf-edge (nbf is 5 minutes after exp; impossible validity window accepted because nbf check skipped).

details

Tests how clients handle 401 challenges and whether they retry with credentials. The endpoint accepts any value in the Authorization header on retry — the goal is to verify the round-trip, not to validate credentials.

The scheme=none mode is worth highlighting: it returns 401 but omits the WWW-Authenticate header entirely, which is invalid per RFC 7235 but happens in the wild. Well-behaved clients should still report the 401 clearly rather than treating it as a generic failure.