Auth & Session Bugs

Authentication and session management flaws that lead to account takeover.

• User/pass discrepancy – different error messages for wrong username vs wrong password = username enumeration
• No account lockout – brute force possible (check program policy before testing)
• Weak password policy – weak passwords accepted
• Password not required for account updates
• Reset tokens – no expiration, reuse prevention, or sufficient entropy
• Host header injection in password reset: send Host: evil.com, does reset link become evil.com/reset?token=…?

• Old cookies not invalidated on login/logout
• No new session cookie issued on auth state change
• Sessions that never expire
• Multiple concurrent sessions allowed without notification
• Base64-encoded cookies – easily decoded to reveal user data

• Redirect parameter? Try returnUrl, goto, return_url, back, returnTo
• Login with myemail%00@email.com – null byte truncation to real email?
• Social media login – OAuth flow, check for token leaks in redirect
• Mobile vs desktop login – different code, different bugs
• IDOR on password reset: try injecting id parameter, test HTTP Parameter Pollution

• XSS + no email change confirmation = steal session or change email silently
• CSRF + no email change confirmation = change victim's email to attacker's
• Open redirect in OAuth flow = token theft = account takeover
• Password reset host header injection = intercept reset token

• Can a low-priv user access admin functions?
• Use Autorize Burp plugin – replay requests across different roles
• Browse directly to sensitive views as unprivileged user
• Test: user creation, project initialization, credential changes, payment info, PII views
• Check if “canEdit”:“false” JSON is enforced server-side or just client-side

• IDOR Testing
• CSRF Testing
• Open Redirects
• TBHM Auth & Session
• Bug Chaining
• Methodology Index