Broken Authentication Testing

Broken Authentication Testing

Purpose

Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems. This skill covers testing methodologies for password policies, session handling, multi-factor authentication, and credential management.

Prerequisites

Required Knowledge

HTTP protocol and session mechanisms

Authentication types (SFA, 2FA, MFA)

Cookie and token handling

Common authentication frameworks

Required Tools

Burp Suite Professional or Community

Hydra or similar brute-force tools

Custom wordlists for credential testing

Browser developer tools

Required Access

Target application URL

Test account credentials

Written authorization for testing

Outputs and Deliverables

Authentication Assessment Report - Document all identified vulnerabilities

Credential Testing Results - Brute-force and dictionary attack outcomes

Session Security Analysis - Token randomness and timeout evaluation

Remediation Recommendations - Security hardening guidance

Core Workflow

Phase 1: Authentication Mechanism Analysis

Understand the application's authentication architecture:

# Identify authentication type
Password-based (forms, basic auth, digest)

Token-based (JWT, OAuth, API keys)

Certificate-based (mutual TLS)

Multi-factor (SMS, TOTP, hardware tokens)
Map authentication endpoints

/login, /signin, /authenticate
/register, /signup
/forgot-password, /reset-password
/logout, /signout
/api/auth/, /oauth/

Capture and analyze authentication requests:

POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
username=test&password=test123

Phase 2: Password Policy Testing

Evaluate password requirements and enforcement:

# Test minimum length (a, ab, abcdefgh)
Test complexity (password, password1, Password1!)

Test common weak passwords (123456, password, qwerty, admin)

Test username as password (admin/admin, test/test)

Document policy gaps: Minimum length <8, no complexity, common passwords allowed, username as password.

Phase 3: Credential Enumeration

Test for username enumeration vulnerabilities:

# Compare responses for valid vs invalid usernames
Invalid: "Invalid username" vs Valid: "Invalid password"

Check timing differences, response codes, registration messages

Password reset

"Email sent if account exists" (secure)
"No account with that email" (leaks info)

API responses

{"error": "user_not_found"}
{"error": "invalid_password"}

### Phase 4: Brute Force Testing
Test account lockout and rate limiting:

bash

Using Hydra for form-based auth

hydra -l admin -P /usr/share/wordlists/rockyou.txt \
target.com http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"

Using Burp Intruder

Capture login request

Send to Intruder

Set payload positions on password field

Load wordlist

Start attack

Analyze response lengths/codes

Check for protections:

bash

Account lockout

After how many attempts?

Duration of lockout?

Lockout notification?

Rate limiting

Requests per minute limit?

IP-based or account-based?

Bypass via headers (X-Forwarded-For)?

CAPTCHA

After failed attempts?

Easily bypassable?

### Phase 5: Credential Stuffing
Test with known breached credentials:

bash

Credential stuffing differs from brute force

Uses known email:password pairs from breaches

Using Burp Intruder with Pitchfork attack

Set username and password as positions

Load email list as payload 1

Load password list as payload 2 (matched pairs)

Analyze for successful logins

Detection evasion

Slow request rate

Rotate source IPs

Randomize user agents

Add delays between attempts

### Phase 6: Session Management Testing
Analyze session token security:

bash

Capture session cookie

Cookie: SESSIONID=abc123def456

Test token characteristics

Entropy - Is it random enough?

Length - Sufficient length (128+ bits)?

Predictability - Sequential patterns?

Secure flags - HttpOnly, Secure, SameSite?

Session token analysis:

python
#!/usr/bin/env python3
import requests
import hashlib

Collect multiple session tokens

tokens = []
for i in range(100):
response = requests.get("https://target.com/login")
token = response.cookies.get("SESSIONID")
tokens.append(token)

Analyze for patterns

Check for sequential increments

Calculate entropy

Look for timestamp components

### Phase 7: Session Fixation Testing
Test if session is regenerated after authentication:

bash

Step 1: Get session before login

GET /login HTTP/1.1
Response: Set-Cookie: SESSIONID=abc123

Step 2: Login with same session

POST /login HTTP/1.1
Cookie: SESSIONID=abc123
username=valid&password=valid

Step 3: Check if session changed

VULNERABLE if SESSIONID remains abc123

SECURE if new session assigned after login

Attack scenario:

bash

Attacker workflow:

Attacker visits site, gets session: SESSIONID=attacker_session

Attacker sends link to victim with fixed session:

https://target.com/login?SESSIONID=attacker_session

Victim logs in with attacker's session

Attacker now has authenticated session

### Phase 8: Session Timeout Testing
Verify session expiration policies:

bash

Test idle timeout

Login and note session cookie

Wait without activity (15, 30, 60 minutes)

Attempt to use session

Check if session is still valid

Test absolute timeout

Login and continuously use session

Check if forced logout after set period (8 hours, 24 hours)

Test logout functionality

Login and note session

Click logout

Attempt to reuse old session cookie

Session should be invalidated server-side

### Phase 9: Multi-Factor Authentication Testing
Assess MFA implementation security:

bash

OTP brute force

4-digit OTP = 10,000 combinations

6-digit OTP = 1,000,000 combinations

Test rate limiting on OTP endpoint

OTP bypass techniques

Skip MFA step by direct URL access

Modify response to indicate MFA passed

Null/empty OTP submission

Previous valid OTP reuse

API Version Downgrade Attack (crAPI example)

If /api/v3/check-otp has rate limiting, try older versions:

POST /api/v2/check-otp
{"otp": "1234"}

Older API versions may lack security controls

Using Burp for OTP testing

Capture OTP verification request

Send to Intruder

Set OTP field as payload position

Use numbers payload (0000-9999)

Check for successful bypass

Test MFA enrollment:

bash

Forced enrollment

Can MFA be skipped during setup?

Can backup codes be accessed without verification?

Recovery process

Can MFA be disabled via email alone?

Social engineering potential?

### Phase 10: Password Reset Testing
Analyze password reset security:

bash

Token security

Request password reset

Capture reset link

Analyze token:

- Length and randomness
- Expiration time
- Single-use enforcement
- Account binding

Token manipulation

https://target.com/reset?token=abc123&user=victim

Try changing user parameter while using valid token

Host header injection

POST /forgot-password HTTP/1.1
Host: attacker.com
email=victim@email.com

Reset email may contain attacker's domain

## Quick Reference
Common Vulnerability Types
<div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">Vulnerability</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">Risk</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">Test Method</th></tr></thead><tbody class="divide-y divide-border"><tr><td class="px-4 py-2 text-sm text-foreground">Weak passwords</td><td class="px-4 py-2 text-sm text-foreground">High</td><td class="px-4 py-2 text-sm text-foreground">Policy testing, dictionary attack</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">No lockout</td><td class="px-4 py-2 text-sm text-foreground">High</td><td class="px-4 py-2 text-sm text-foreground">Brute force testing</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Username enumeration</td><td class="px-4 py-2 text-sm text-foreground">Medium</td><td class="px-4 py-2 text-sm text-foreground">Differential response analysis</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Session fixation</td><td class="px-4 py-2 text-sm text-foreground">High</td><td class="px-4 py-2 text-sm text-foreground">Pre/post-login session comparison</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Weak session tokens</td><td class="px-4 py-2 text-sm text-foreground">High</td><td class="px-4 py-2 text-sm text-foreground">Entropy analysis</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">No session timeout</td><td class="px-4 py-2 text-sm text-foreground">Medium</td><td class="px-4 py-2 text-sm text-foreground">Long-duration session testing</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Insecure password reset</td><td class="px-4 py-2 text-sm text-foreground">High</td><td class="px-4 py-2 text-sm text-foreground">Token analysis, workflow bypass</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">MFA bypass</td><td class="px-4 py-2 text-sm text-foreground">Critical</td><td class="px-4 py-2 text-sm text-foreground">Direct access, response manipulation</td></tr></tbody></table></div>
Credential Testing Payloads

bash

Default credentials

admin:admin
admin:password
admin:123456
root:root
test:test
user:user

Common passwords

123456
password
12345678
qwerty
abc123
password1
admin123

Breached credential databases

Have I Been Pwned dataset

SecLists passwords

Custom targeted lists

### Session Cookie Flags
<div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">Flag</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">Purpose</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">Vulnerability if Missing</th></tr></thead><tbody class="divide-y divide-border"><tr><td class="px-4 py-2 text-sm text-foreground">HttpOnly</td><td class="px-4 py-2 text-sm text-foreground">Prevent JS access</td><td class="px-4 py-2 text-sm text-foreground">XSS can steal session</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Secure</td><td class="px-4 py-2 text-sm text-foreground">HTTPS only</td><td class="px-4 py-2 text-sm text-foreground">Sent over HTTP</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">SameSite</td><td class="px-4 py-2 text-sm text-foreground">CSRF protection</td><td class="px-4 py-2 text-sm text-foreground">Cross-site requests allowed</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Path</td><td class="px-4 py-2 text-sm text-foreground">URL scope</td><td class="px-4 py-2 text-sm text-foreground">Broader exposure</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Domain</td><td class="px-4 py-2 text-sm text-foreground">Domain scope</td><td class="px-4 py-2 text-sm text-foreground">Subdomain access</td></tr><tr><td class="px-4 py-2 text-sm text-foreground">Expires</td><td class="px-4 py-2 text-sm text-foreground">Lifetime</td><td class="px-4 py-2 text-sm text-foreground">Persistent sessions</td></tr></tbody></table></div>
Rate Limiting Bypass Headers

http
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
True-Client-IP: 127.0.0.1

## Constraints and Limitations
Legal Requirements

Only test with explicit written authorization

Avoid testing with real breached credentials

Do not access actual user accounts

Document all testing activities
Technical Limitations

CAPTCHA may prevent automated testing

Rate limiting affects brute force timing

MFA significantly increases attack difficulty

Some vulnerabilities require victim interaction
Scope Considerations

Test accounts may behave differently than production

Some features may be disabled in test environments

Third-party authentication may be out of scope

Production testing requires extra caution
Examples
Example 1: Account Lockout Bypass
Scenario: Test if account lockout can be bypassed

bash

Step 1: Identify lockout threshold

Try 5 wrong passwords for admin account

Result: "Account locked for 30 minutes"

Step 2: Test bypass via IP rotation

Use X-Forwarded-For header

POST /login HTTP/1.1
X-Forwarded-For: 192.168.1.1
username=admin&password=attempt1

Increment IP for each attempt

X-Forwarded-For: 192.168.1.2

Continue until successful or confirmed blocked

Step 3: Test bypass via case manipulation

username=Admin (vs admin)
username=ADMIN

Some systems treat these as different accounts

### Example 2: JWT Token Attack
Scenario: Exploit weak JWT implementation

bash

Step 1: Capture JWT token

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature

Step 2: Decode and analyze

Header: {"alg":"HS256","typ":"JWT"}

Payload: {"user":"test","role":"user"}

Step 3: Try "none" algorithm attack

Change header to: {"alg":"none","typ":"JWT"}

Remove signature

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.

Step 4: Submit modified token

Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.

### Example 3: Password Reset Token Exploitation
Scenario: Test password reset functionality

bash

Step 1: Request reset for test account

POST /forgot-password
email=test@example.com

Step 2: Capture reset link

https://target.com/reset?token=a1b2c3d4e5f6

Step 3: Test token properties

Reuse: Try using same token twice

Expiration: Wait 24+ hours and retry

Modification: Change characters in token

Step 4: Test for user parameter manipulation

https://target.com/reset?token=a1b2c3d4e5f6&email=admin@example.com

Check if admin's password can be reset with test user's token

```

Troubleshooting