Broken Authentication Testing
Purpose
Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems. This skill covers testing methodologies for password policies, session handling, multi-factor authentication, and credential management.
Prerequisites
Required Knowledge
- HTTP protocol and session mechanisms
- Authentication types (SFA, 2FA, MFA)
- Cookie and token handling
- Common authentication frameworks
Required Tools
- Burp Suite Professional or Community
- Hydra or similar brute-force tools
- Custom wordlists for credential testing
- Browser developer tools
Required Access
- Target application URL
- Test account credentials
- Written authorization for testing
Outputs and Deliverables
- Authentication Assessment Report - Document all identified vulnerabilities
- Credential Testing Results - Brute-force and dictionary attack outcomes
- Session Security Analysis - Token randomness and timeout evaluation
- Remediation Recommendations - Security hardening guidance
Core Workflow
Phase 1: Authentication Mechanism Analysis
Understand the application's authentication architecture:
# Identify authentication type
- Password-based (forms, basic auth, digest)
- Token-based (JWT, OAuth, API keys)
- Certificate-based (mutual TLS)
- Multi-factor (SMS, TOTP, hardware tokens)
# Map authentication endpoints
/login, /signin, /authenticate
/register, /signup
/forgot-password, /reset-password
/logout, /signout
/api/auth/*, /oauth/*
Capture and analyze authentication requests:
POST /login HTTP/1.1
username=test&password=test123
Phase 2: Password Policy Testing
Evaluate password requirements and enforcement:
Document policy gaps: Minimum length <8, no complexity, common passwords allowed, username as password.
Phase 3: Credential Enumeration
Test for username enumeration vulnerabilities:
Password reset
"Email sent if account exists" (secure)
"No account with that email" (leaks info)
API responses
{"error": "user_not_found"}
{"error": "invalid_password"}
### Phase 4: Brute Force Testing
Test account lockout and rate limiting:
```bash
# Using Hydra for form-based auth
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
target.com http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
# Using Burp Intruder
1. Capture login request
2. Send to Intruder
3. Set payload positions on password field
4. Load wordlist
5. Start attack
6. Analyze response lengths/codes
Check for protections:
- After how many attempts?
- Duration of lockout?
- Lockout notification?
- Requests per minute limit?
- IP-based or account-based?
- Bypass via headers (X-Forwarded-For)?
- After failed attempts?
- Easily bypassable?
Phase 5: Credential Stuffing
Test with known breached credentials:
1. Set username and password as positions
2. Load email list as payload 1
3. Load password list as payload 2 (matched pairs)
4. Analyze for successful logins
- Slow request rate
- Rotate source IPs
- Randomize user agents
- Add delays between attempts
Phase 6: Session Management Testing
Analyze session token security:
Cookie: SESSIONID=abc123def456
1. Entropy - Is it random enough?
2. Length - Sufficient length (128+ bits)?
3. Predictability - Sequential patterns?
4. Secure flags - HttpOnly, Secure, SameSite?
Session token analysis:
import requests
import hashlib
tokens = []
for i in range(100):
response = requests.get("https://target.com/login")
token = response.cookies.get("SESSIONID")
tokens.append(token)
Phase 7: Session Fixation Testing
Test if session is regenerated after authentication:
GET /login HTTP/1.1
Response: Set-Cookie: SESSIONID=abc123
POST /login HTTP/1.1
Cookie: SESSIONID=abc123
username=valid&password=valid
Attack scenario:
1. Attacker visits site, gets session: SESSIONID=attacker_session
2. Attacker sends link to victim with fixed session:
https://target.com/login?SESSIONID=attacker_session
3. Victim logs in with attacker's session
4. Attacker now has authenticated session
Phase 8: Session Timeout Testing
Verify session expiration policies:
1. Login and note session cookie
2. Wait without activity (15, 30, 60 minutes)
3. Attempt to use session
4. Check if session is still valid
1. Login and continuously use session
2. Check if forced logout after set period (8 hours, 24 hours)
1. Login and note session
2. Click logout
3. Attempt to reuse old session cookie
4. Session should be invalidated server-side
Phase 9: Multi-Factor Authentication Testing
Assess MFA implementation security:
- 4-digit OTP = 10,000 combinations
- 6-digit OTP = 1,000,000 combinations
- Test rate limiting on OTP endpoint
- Skip MFA step by direct URL access
- Modify response to indicate MFA passed
- Null/empty OTP submission
- Previous valid OTP reuse
POST /api/v2/check-otp
{"otp": "1234"}
1. Capture OTP verification request
2. Send to Intruder
3. Set OTP field as payload position
4. Use numbers payload (0000-9999)
5. Check for successful bypass
Test MFA enrollment:
- Can MFA be skipped during setup?
- Can backup codes be accessed without verification?
- Can MFA be disabled via email alone?
- Social engineering potential?
Phase 10: Password Reset Testing
Analyze password reset security:
1. Request password reset
2. Capture reset link
3. Analyze token:
- Length and randomness
- Expiration time
- Single-use enforcement
- Account binding
https://target.com/reset?token=abc123&user=victim
POST /forgot-password HTTP/1.1
Host: attacker.com
email=[email protected]
Quick Reference
Common Vulnerability Types
| Vulnerability |
Risk |
Test Method |
| Weak passwords |
High |
Policy testing, dictionary attack |
| No lockout |
High |
Brute force testing |
| Username enumeration |
Medium |
Differential response analysis |
| Session fixation |
High |
Pre/post-login session comparison |
| Weak session tokens |
High |
Entropy analysis |
| No session timeout |
Medium |
Long-duration session testing |
| Insecure password reset |
High |
Token analysis, workflow bypass |
| MFA bypass |
Critical |
Direct access, response manipulation |
Credential Testing Payloads
admin:admin
admin:password
admin:123456
root:root
test:test
user:user
123456
password
12345678
qwerty
abc123
password1
admin123
- Have I Been Pwned dataset
- SecLists passwords
- Custom targeted lists
Session Cookie Flags
| Flag |
Purpose |
Vulnerability if Missing |
| HttpOnly |
Prevent JS access |
XSS can steal session |
| Secure |
HTTPS only |
Sent over HTTP |
| SameSite |
CSRF protection |
Cross-site requests allowed |
| Path |
URL scope |
Broader exposure |
| Domain |
Domain scope |
Subdomain access |
| Expires |
Lifetime |
Persistent sessions |
Rate Limiting Bypass Headers
