Cybersecurity

User Tools

Site Tools

Trace: 02_discovery 03_how_internet_works 03_mapping 04_authorization
tbhm:04_authorization

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
tbhm:04_authorization [2026/05/14 09:18] – TBHM import drewtbhm:04_authorization [2026/05/14 09:59] (current) – integrate zseano methodology drew
Line 1: Line 1:
-Auth and Session+====== Auth and Session ======
  
-## Auth (better be quick)+===== Auth (better be quick) =====
  
 Auth Related (more in logic, priv, and transport sections) Auth Related (more in logic, priv, and transport sections)
  
-User/pass discrepancy flaw +  * User/pass discrepancy flaw 
-Registration page harvesting +  Registration page harvesting 
-Login page harvesting +  Login page harvesting 
-Password reset page harvesting +  Password reset page harvesting 
-No account lockout +  No account lockout 
-Weak password policy +  Weak password policy 
-Password not required for account updates +  Password not required for account updates 
-Password reset tokens (no expiry or re-use)+  Password reset tokens (no expiry or re-use)
  
-## Session (better be quick)+===== Session (better be quick) =====
  
 Session Related: Session Related:
-Failure to invalidate old cookies +  * Failure to invalidate old cookies 
-No new cookies on login/logout/timeout +  No new cookies on login/logout/timeout 
-Never ending cookie length +  Never ending cookie length 
-Multiple sessions allowed +  Multiple sessions allowed 
-Easily reversible cookie (base64 most often)+  Easily reversible cookie (base64 most often) 
 + 
 + 
 + 
 +===== Zseano Auth Testing ===== 
 + 
 +**Login testing:** 
 +  * Host header injection in password reset: ''Host: evil.com'' -- does reset link use evil.com? 
 +  * ''myemail%00@email.com'' -- null byte truncation to real account 
 +  * Redirect parameter on login/reset: ''returnUrl'', ''goto'', ''return_url'', ''back'' 
 +  * Mobile login vs desktop -- often different codebases 
 + 
 +**Session bugs:** 
 +  * Old cookies not invalidated on logout 
 +  * Base64-encoded cookies -- readable user data 
 +  * No new session cookie on privilege change 
 + 
 +**Account takeover chains:** 
 +  * XSS + no email change confirmation = ATO 
 +  * CSRF + email change = ATO 
 +  * Open redirect in OAuth = token theft = ATO 
 + 
 +  * [[zseano:auth_session|Full Zseano Auth Guide]] 
 +  * [[zseano:escalation|Bug Chaining & Escalation]]
  
tbhm/04_authorization.1778746727.txt.gz · Last modified: by drew
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki