====== Auth & Session Bugs ======

Authentication and session management flaws that lead to account takeover.

===== Authentication Flaws =====

  * **User/pass discrepancy** -- different error messages for wrong username vs wrong password = username enumeration
  * **No account lockout** -- brute force possible (check program policy before testing)
  * **Weak password policy** -- weak passwords accepted
  * **Password not required** for account updates
  * **Reset tokens** -- no expiration, reuse prevention, or sufficient entropy
  * **Host header injection** in password reset: send ''Host: evil.com'', does reset link become ''evil.com/reset?token=...''?

===== Session Flaws =====

  * Old cookies not invalidated on login/logout
  * No new session cookie issued on auth state change
  * Sessions that never expire
  * Multiple concurrent sessions allowed without notification
  * Base64-encoded cookies -- easily decoded to reveal user data

===== Login Testing =====

  * Redirect parameter? Try ''returnUrl'', ''goto'', ''return_url'', ''back'', ''returnTo''
  * Login with ''myemail%00@email.com'' -- null byte truncation to real email?
  * Social media login -- OAuth flow, check for token leaks in redirect
  * Mobile vs desktop login -- different code, different bugs
  * IDOR on password reset: try injecting ''id'' parameter, test HTTP Parameter Pollution

===== Account Takeover Chains =====

  * XSS + no email change confirmation = steal session or change email silently
  * CSRF + no email change confirmation = change victim's email to attacker's
  * Open redirect in OAuth flow = token theft = account takeover
  * Password reset host header injection = intercept reset token

===== Privilege Escalation =====

  * Can a low-priv user access admin functions?
  * Use **Autorize** Burp plugin -- replay requests across different roles
  * Browse directly to sensitive views as unprivileged user
  * Test: user creation, project initialization, credential changes, payment info, PII views
  * Check if ''"canEdit":"false"'' JSON is enforced server-side or just client-side

===== See Also =====

  * [[zseano:idor|IDOR Testing]]
  * [[zseano:csrf|CSRF Testing]]
  * [[zseano:open_redirects|Open Redirects]]
  * [[tbhm:04_authorization|TBHM Auth & Session]]
  * [[zseano:escalation|Bug Chaining]]
  * [[zseano:start|Methodology Index]]