====== Auth and Session ======

===== Auth (better be quick) =====

Auth Related (more in logic, priv, and transport sections)

  * User/pass discrepancy flaw
  * Registration page harvesting
  * Login page harvesting
  * Password reset page harvesting
  * No account lockout
  * Weak password policy
  * Password not required for account updates
  * Password reset tokens (no expiry or re-use)

===== Session (better be quick) =====

Session Related:
  * Failure to invalidate old cookies
  * No new cookies on login/logout/timeout
  * Never ending cookie length
  * Multiple sessions allowed
  * Easily reversible cookie (base64 most often)



===== Zseano Auth Testing =====

**Login testing:**
  * Host header injection in password reset: ''Host: evil.com'' -- does reset link use evil.com?
  * ''myemail%00@email.com'' -- null byte truncation to real account
  * Redirect parameter on login/reset: ''returnUrl'', ''goto'', ''return_url'', ''back''
  * Mobile login vs desktop -- often different codebases

**Session bugs:**
  * Old cookies not invalidated on logout
  * Base64-encoded cookies -- readable user data
  * No new session cookie on privilege change

**Account takeover chains:**
  * XSS + no email change confirmation = ATO
  * CSRF + email change = ATO
  * Open redirect in OAuth = token theft = ATO

  * [[zseano:auth_session|Full Zseano Auth Guide]]
  * [[zseano:escalation|Bug Chaining & Escalation]]