AuthSpark DATASET

Authentication Bypass Security Research Dataset

This repository contains the dataset used in the paper "Through the Authentication Maze: Detecting Authentication Bypass Vulnerabilities in Firmware Binaries".

We are delighted to announce that our paper has been accepted to NDSS 2026! 🎉

Overview

This comprehensive dataset for IoT device authentication bypass vulnerability research includes:

• AuthSpark's Output: Authentication code analysis results (Credential Validation Code and Authentication-success Basic Block)
• Firmware files: Device firmware for analysis
• AuthSpark's Input: HTTP request seeds
• AuthSpark's Output: Fuzzing crash examples from multiple vendor devices (1-day)

Project Structure

AuthSpark_DATA/
├── auth_code_results/          # Authentication code analysis results
├── auth_bypass_1day_fuzz_crashes_example/  # Fuzzing crash examples
├── firmwares/                  # Firmware files
└── http_seeds/                 # HTTP request seed data

Test Device List

Vendor	Model	Arch	Trace Collection Method	Dataset	Device Type	WEB Type	CVS Type	CVS Count	Firmware	CVE	1-day	0-day
DLink	DCS-930L	MIPSEL	GDB	dataset-2	IPCamera	alphapd	User	1	DCS-930L_FIRMWARE_1.08_B4.ZIP	-	0	0
DLink	DIR-300	MIPSEL	GDB	dataset-2	Router	cgibin	User,Token	2	DIR-300_fw_revb_214b01_ALL_20130206.zip	-	0	0
DLink	DIR-505L	MIPSEB	GDB	dataset-2	Router	lighttpd	User	1	DIR-505L_REVA_FIRMWARE_1.03.B07.ZIP	-	0	0
DLink	DIR-665	ARMEL	QEMU	dataset-1	Router	httpd	User,Token	2	DIR-665_FIRMWARE_1.00.ZIP	-	0	1
DLink	DIR-882	MIPSEL	GDB	dataset-2	Router	goahead	User,Token	2	DIR882A1_FW110B02.zip	CVE-2020-8863, CVE-2020-8864, CVE-2020-15633	3	0
TPLINK	Archer_C3150	ARMEL	QEMU	dataset-1	Router	httpd	User	2	Archer_C3150_KR__V2_170925.zip	-	0	0
TPLINK	Archer_C8	ARMEL	QEMU	dataset-1	Router	httpd	User	1	Archer_C8_V1_150518_US.zip	-	0	0
Fortigate	FortiOS	X86	QEMU	dataset-1	Firewall	httpd	User,Token	2	FGT_VM64_KVM-v7.0.0-build0066-FORTINET	CVE-2022-40684	1	0
F5	BIGIP	X86	QEMU	dataset-1	ADC	apache	Token	1	bigip-15.1.0.1-0.0.4	CVE-2020-5902, CVE-2021-22986, CVE-2022-1388	3	0
Ivanti	Ivanti Connect Secure	X86	QEMU	dataset-1	Gateway	httpd	VPN-Token, RestAPI-Token	2	ISA-V-KVM-ICS-22.3R1-1647.1-VT-kvm	CVE-2023-46805	1	0
QNAP	TS-231P	ARMEL	GDB	dataset-2	NAS	thttpd	User,Token	2	TS-131P_231P_431P_X31+_X31K_20230926-5.1.2.2533	CVE-2024-21899	1	0
Trendnet	TEW-828DRU	ARMEL	QEMU	dataset-1	Router	httpd	User	1	TEW-828DRU_3-r27490.zip	-	0	0
Trendnet	TEW800	ARMEL	QEMU	dataset-1	Media Bridge	httpd	User	1	FW_TEW800MB(v1.0.1.0)_08012013.bin	-	0	0
NETGEAR	WNR3500	ARMEL	QEMU	dataset-1	Router	httpd	User	1	WNR3500-V1.0.30_8.0.30.chk	-	0	0
NETGEAR	XR300	ARMEL	QEMU	dataset-1	Router	httpd	User	1	XR300-V1.0.3.38_10.3.30.chk	CVE-2021-34977	1	0
NETGEAR	EX6200	ARMEL	QEMU	dataset-1	AP	httpd	User,Token	2	EX6200-V1.0.3.88_1.1.123.chk	-	0	0
NETGEAR	R6200V2	ARMEL	QEMU	dataset-1	Router	httpd	User	1	R6200v2-V1.0.3.12_10.1.11.chk	-	0	0
NETGEAR	R6300V2	ARMEL	QEMU	dataset-1	Router	httpd	User	1	R6300v2-V1.0.4.34_10.0.92.chk	-	0	0
NETGEAR	R6400v2	ARMEL	QEMU	dataset-1	Router	httpd	User	1	R6400v2-V1.0.4.84_10.0.58.chk	-	0	0
NETGEAR	R6700V3	ARMEL	QEMU	dataset-1	Router	mini-httpd	User	1	R6700v3-V1.0.5.128_10.0.104.chk	-	0	1 (PSV-2025-0044)
NETGEAR	R7000	ARMEL	QEMU	dataset-1	Router	mini-httpd	User	1	R7000-V1.0.12.216_10.2.122.chk	-	0	1 (PSV-2025-0044)
NETGEAR	R7000P	ARMEL	QEMU	dataset-1	Router	mini-httpd	User	1	R7000P-V1.3.1.64_10.1.36.chk	-	0	0
NETGEAR	R8000	ARMEL	QEMU	dataset-1	Router	httpd	User	1	R8000-V1.0.4.46_10.1.63.chk	-	0	0
NETGEAR	WAC104	MIPSEL	GDB	dataset-2	AP	mini-httpd	User	1	WAC104_firmware_V1.0.4.13.zip	CVE-2021-35973	1	0
Zyxel	NAS326	ARMEL	QEMU	dataset-1	NAS	apache	Token	1	NAS326_V5.21(AAZF.14)C0.zip	CVE-2023-4473	1	1 (CVE-2024-6342)
Belkin	F7D4301	MIPSEL	GDB	dataset-2	Router	httpd	User	1	F7D4301-8301_WW_1.00.30.bin	-	0	0
ASUS	RT-AC68U	ARMEL	QEMU	dataset-1	Router	lighttpd	User,Token	2	FW_RT_AC68U_300438651722.zip	-	0	2 (CVE-2025-2492, CVE-2025-59366)
ASUS	RT-AX56U	ARMEL	QEMU	dataset-1	Router	mini-httpd	User,Token	2	FW_RT_AX56U_30043848253.zip	CVE-2021-32030	1	0
ASUS	DSL-AC88U	ARMEL	QEMU	dataset-1	Router	mini-httpd	User,Token	2	FW_DSL_AC88U_11006591.zip	CVE-2021-20090	1	0
ASUS	RT_N10	MIPSEL	GDB	dataset-2	Router	mini-httpd	User	1	FW_RT_N10_1024.zip	-	0	0
Linksys	E1000	MIPSEL	GDB	dataset-2	Router	httpd	User,Token	2	FW_E1000_2.1.03.005_US_20140321.bin	-	0	0
Linksys	WRT320N	MIPSEL	GDB	dataset-2	Router	httpd	User	1	FW_WRT320N_1.0.05.002_20110331.bin	-	0	0
Total	32	-	-	dataset-1: 22, dataset-2: 10	-	-	-	44	-	-	14	6

Summary: 32 devices (22 in dataset-1, 10 in dataset-2), 44 CVS (Credential Verification Statement), 14 1-day vulnerabilities, 6 0-day vulnerabilities

Data Description

auth_code_results/

Authentication code analysis results for each device:

• auth_bypass_keyinfo.json: Authentication-success Basic Block information
• rq1_cv_point_results.txt: CVS analysis results
• weasel/decision_trees/: Weasel tool analysis results
  • candidate_decision_points.json: Stores the main results of Weasel

http_seeds/

HTTP request seed data in JSON format. Each device includes authentication request pairs:

• Authentication Success Request (auth_user_success / auth_token_success)
• Authentication Failure Request (auth_user_failed / auth_token_failed)

Two types of seed files are provided:

• auth_keyinfo_seeds.json: Authentication request pair seeds used for collecting traces to identify CVS (Credential Verification Statement) and ASBBs (Authentication-success Basic Blocks)
• complete_seeds.json: Seeds used for fuzzing

auth_bypass_1day_fuzz_crashes_example/

Fuzzing crash examples for discovered 1-day authentication bypass vulnerabilities.

firmwares/

Firmware files for device analysis and vulnerability research.

Note: Some firmware files are too large to upload. NFV (Network Function Virtualization) technology simulation images are also not provided.

Important Notes

• Security Research Purpose: This dataset is intended for security research and educational purposes only