Authentication and Session Management

Auth Bypass

Test Cases:
1. SQL injection in login form
   Username: admin' OR '1'='1' --
   Password: anything

2. NoSQL injection (MongoDB)
   Username: {"$gt": ""}
   Password: {"$gt": ""}

3. LDAP injection
   Username: *)(&
   Password: anything

4. Default credentials
   admin:admin, admin:password, root:root, test:test

5. Password reset flaws
   - Token not invalidated after use
   - Predictable tokens
   - Token sent in URL
   - Host header injection
   - Race conditions

6. JWT vulnerabilities
   - None algorithm (alg: none)
   - Weak secret (bruteforce with jwt_tool)
   - Key confusion (RS256 to HS256)
   - Signature not verified

Tools

# JWT testing
jwt_tool <JWT_TOKEN> -t https://target.com/api/endpoint -rh "Authorization: Bearer JWT_HERE"

# Bruteforce
hydra -L users.txt -P passwords.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

Session Management

Check:
1. Session fixation
2. Session not invalidated on logout
3. Concurrent sessions allowed
4. Session token in URL
5. No session timeout
6. Weak session IDs (predictable)
7. Missing Secure flag on cookies (over HTTPS)
8. Missing HttpOnly flag on cookies
9. No SameSite attribute
10. Session token exposed in logs/Referer

PreviousVulnerability Discovery NextAuthorization and Access control

Last updated 3 months ago