How I Found a Critical SAML Authentication Bypasson a Major Automotive Company's Dealer Portal

INTRODUCTION:

Ousski

~2 min read · April 2, 2026 (Updated: April 2, 2026) · Free: Yes

During a routine bug bounty reconnaissance session , i came across an exposed pre-production application that lead to one of my most impactful findings , a complete SAML authentication bypass affecting a major auto-company , including their OTA vehicle software update infrastructure

Recon — how i found it:

During subdomain enumeration and using Eyewitness tool to check the screenshots of discovered subdomains , one of subdomains caught my eye prestage.***.TARGET.com

Navigating to the subdomain revealed a publicly accessible SAML testing tool with :

No authentication required
Pre-filled from fields containing real employee data including PII
Internal Windows server paths exposed at the top of the page revealing the application's directory structure

Authentication bypass :

Using the original pre-filled values with the staging environment selected :

Request:

POST /sso/login

Host: [TARGET]

SAMLResponse=[forged assertion]

Response:

HTTP/2 301 Moved Permanetly

Location:/Dealer/Index

Following the redirect send me to Full dealer portal dashboard which i can download all the files of the OTA

Impact of finding:

1. COMPLETE AUTHENTICATION BYPASS Any unauthenticated attacker can gain full access to the dealer portal network

2. SAML SIGNATURE VALIDATION ABSENT Forged assertions accepted without any cryptographic verification

3. OTA VEHICLE UPDATE SYSTEM ACCESS The portal manages Over The Air software updates for vehicles across dealerships including: — Vehicle software downloads by year/model — Update report uploads affecting warranty claims

4. ANY DEALER IDENTITY CAN BE IMPERSONATED Attacker controls all SAML attributes including dealer number, name, and employee identity

5. PRODUCTION ENVIRONMENTS AT RISK Same vulnerability path available against production environments confirmed in dropdown

6. SENSITIVE INFORMATION DISCLOSURE — Real employee PII publicly exposed — Internal server paths disclosed — Full environment architecture revealed — Internal monitoring infrastructure exposed

CVSS Scoring :

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N Score: 9.3 Critical

Conclusion:

This finding demonstrates how a single exposed internal testing tool can lead to complete authentication bypass of critical infrastructure. The combination of: - No access controls on testing tool - SAML signature validation absent - Real credentials pre-filled - Production environments exposed

H1 Triage and resolved the bug

#bug-hunting #cybersecurity #bug-bounty #bug-bounty-writeup