What is Client-Side Authentication?

When websites need to verify that a user could be allowed to access something, they would check to see if the user is authenticated with some form of a login page. However, some lazy or inexperienced developers will do the password check in the browser of the user instead of doing it on the server hosting the site. This is known as Client-Side Authentication.

Why is it bad?

Because the check is done on the client's browser, all the server is checking is if the browser said the user is allowed to access a resource. Thus a malicious user can skip the password check and just have their browser say that they are authorized. They can do so by spoofing traffic or by editing the client-side code, since they are in full control over their own browser. Thus, this vulnerability is also frequently used as a beginner level web exploitation challenge in Capture the Flag (CTF) competitions.

How to exploit Client-Side Authentication?

Because the check is done on the client's browser, you can press F12 key to open the developer console. Just simply skim through the lines and look for a function that compares the input to some value. Once you find it, just copy out the password, or open the url it is protecting directly.