Home > Website Pentesting

Authentication & Sessions

Authentication and session management determine how a web application identifies users and maintains their state across requests. These mechanisms form the foundation of access control. When authentication or session handling is weak, attackers can bypass login systems, impersonate users, hijack accounts, or escalate privileges. Understanding how these mechanisms work internally is essential before discovering vulnerabilities within them.

Understanding Authentication

Authentication verifies the identity of a user attempting to access a system. The process relies on one or more of the following:

  • Something the user knows

  • Something the user has

  • Something the user is

Web applications typically authenticate users through:

  • Username and password

  • One-time passwords

  • Tokens

  • Certificates

  • OAuth and external identity providers

Authentication flaws occur when the system fails to properly validate credentials, fails to protect them, or exposes weaknesses in login logic.

Core Authentication Components

Authentication always includes:

  • A login endpoint

  • A credential validation mechanism

  • A user database

  • Responses for valid or invalid attempts

  • Built-in controls such as rate limiting or lockouts

Weakness in any of these components creates an attack surface.

Types of Authentication Systems

Different systems introduce different vulnerabilities.

Password-Based Authentication

Most common and most frequently targeted. Vulnerabilities include:

  • Brute force

  • Credential stuffing

  • Weak password policies

  • Password reuse

  • No rate limiting

  • No account lockout

Token-Based Authentication

Applications issue tokens after login. Examples include:

  • JSON Web Tokens

  • Session tokens

  • API keys

Weaknesses arise when tokens are predictable, reusable, or poorly validated.

Multi-Factor Authentication

Two or more verification methods. Flaws include:

  • OTP bypass

  • Token interception

  • MFA fatigue

  • Insecure fallback flows

External/Third-Party Authentication

OAuth, SSO, and identity providers simplify authentication but introduce misconfiguration risks.

Common issues:

  • Improper redirect validation

  • Token injection

  • Overly broad scopes

  • Unvalidated signatures

Understanding Sessions

Sessions allow a server to remember the state of a user between requests. Since HTTP is stateless, session management becomes the backbone of authenticated interaction.

Sessions rely on:

  • Unique identifiers

  • Server-side storage

  • Session cookies

  • Expiration logic

Weak session management leads directly to account compromise.

How Sessions Work

  1. User logs in

  2. Server generates a session ID

  3. Session ID is stored in a cookie

  4. Browser sends cookie with each request

  5. Server uses the ID to retrieve session data

If an attacker obtains or predicts the session ID, they gain full access as the victim.

Key Session Properties

Uniqueness

Session IDs must be random and unpredictable.

Confidentiality

Session data must be stored securely and transmitted over HTTPS.

Integrity

Session tokens cannot be modified or forged.

Expiration

Sessions must expire after inactivity or logout.

Binding

Sessions should be bound to:

  • IP

  • User agent

  • Device

  • Specific authentication context

Weak binding allows session hijacking.

Session Cookies

Cookies store session identifiers. They must be configured correctly to prevent theft or manipulation.

Key cookie attributes:

  • HttpOnly

  • Secure

  • SameSite

  • Path

  • Domain

  • Expiration

Missing attributes create vulnerabilities.

HttpOnly Cookie

Prevents JavaScript access. Without it, XSS can steal sessions.

Secure Cookie

Ensures cookie only travels over HTTPS. Without it, attackers can sniff the session on the network.

SameSite Cookie

Protects against CSRF by restricting cross-site requests.

Authentication Weaknesses

Authentication flaws expose systems to direct compromise. Common weaknesses include:

Weak Password Policies

  • Short passwords

  • Allowing common passwords

  • No complexity requirements

Insecure Password Storage

  • Plaintext passwords

  • Weak hashing algorithms

  • Missing salts

Username Enumeration

Different responses for valid and invalid usernames reveal user existence.

Inadequate Brute Force Protection

  • No rate limiting

  • No lockout

  • No monitoring

Attackers test thousands of passwords quickly.

Bypass via Logic Flaws

Examples include:

  • Missing checks

  • Broken parameter validation

  • Hardcoded backdoor credentials

  • Password reset flaws

Session Weaknesses

Session vulnerabilities allow attackers to impersonate users.

Session Prediction

Weak random generation allows guessing session tokens.

Session Fixation

Attacker forces a victim to use a known session ID.

Session Hijacking

Attacker steals session tokens through:

  • XSS

  • Man-in-the-middle

  • Insecure cookies

Missing Logout Invalidation

If logout does not destroy the session, tokens remain usable.

Long Session Lifetimes

Persistent sessions with no expiration let attackers reuse stolen tokens indefinitely.

Authentication Flows

Many vulnerabilities arise from incomplete or misconfigured flows.

Registration

Weak validation during sign-up enables:

  • Username takeover

  • Injection attacks

  • Email spoofing

Login

Incorrect login logic exposes brute force and enumeration weaknesses.

Password Reset

Flaws include:

  • Predictable reset tokens

  • Tokens leaked in logs

  • Reset links not expiring

  • Reset pages without authentication

Account Recovery

Fallback methods like security questions can be exploited without proper control.

Logout

Logout endpoints must destroy session data instead of just redirecting.

Token-Based Authentication Weaknesses

JWT Misconfigurations

Common issues:

  • Using none algorithm

  • Not validating signatures

  • Overly broad claims

  • Using long-lived tokens

API Keys

Often leaked in:

  • JavaScript files

  • GitHub repositories

  • Mobile apps

  • Hidden directories

Leaked keys grant full access without passwords.

How Authentication & Session Vulnerabilities Lead to Exploitation

Vulnerabilities in these systems typically lead to:

  • Account takeover

  • Privilege escalation

  • Unauthorized access

  • Data theft

  • Bypass of security controls

Even a minor flaw such as missing HttpOnly or improper error messages can escalate into full compromise.

Intel Dump

  • Authentication validates identity; sessions maintain state.

  • Weaknesses in these systems enable brute force, credential stuffing, and bypass attacks.

  • Session tokens must be random, unique, and protected with secure cookie attributes.

  • Improper session handling allows hijacking, fixation, and impersonation.

  • Authentication flows must protect registration, login, reset, and logout stages.

  • Token-based systems (API keys, JWTs) require strict validation and secure storage.

  • Small misconfigurations in authentication or session handling often lead to full account compromise.

HOME LEARN COMMUNITY DASHBOARD