Auth and Session

Auth Related (more in logic, priv, and transport sections)

• User/pass discrepancy flaw
• Registration page harvesting
• Login page harvesting
• Password reset page harvesting
• No account lockout
• Weak password policy
• Password not required for account updates
• Password reset tokens (no expiry or re-use)

Session Related:

• Failure to invalidate old cookies
• No new cookies on login/logout/timeout
• Never ending cookie length
• Multiple sessions allowed
• Easily reversible cookie (base64 most often)

Login testing:

• Host header injection in password reset: Host: evil.com – does reset link use evil.com?
• myemail%00@email.com – null byte truncation to real account
• Redirect parameter on login/reset: returnUrl, goto, return_url, back
• Mobile login vs desktop – often different codebases

Session bugs:

• Old cookies not invalidated on logout
• Base64-encoded cookies – readable user data
• No new session cookie on privilege change

Account takeover chains:

• XSS + no email change confirmation = ATO
• CSRF + email change = ATO
• Open redirect in OAuth = token theft = ATO

• Full Zseano Auth Guide
• Bug Chaining & Escalation