Broken Authentication
Comprehensive coverage of authentication vulnerabilities including weak credentials, session management flaws, and JWT misconfigurations. Practice credential stuffing, session fixation, and token forgery attacks.
Introduction to Broken Authentication
theoryOverview of authentication failures, their causes, and impacts.
Introduction to Broken Authentication
What is Broken Authentication?
Broken Authentication refers to weaknesses in authentication and session management that allow attackers to compromise passwords or impersonate users.
Common Issues
- Weak/default passwords
- Brute-force or credential stuffing
- Predictable session IDs
- Insecure password reset flows
- JWT misconfigurations (alg=none)
Knowledge Check
Which control mitigates credential stuffing?
Default & Weak Credentials
theoryWhy default credentials are dangerous.
Default & Weak Credentials
Default Credentials
Attackers try common default passwords like admin/admin.
Prevention
- Force password change at first login
- Strong password requirements
- Use MFA
Knowledge Check
What reduces risk of default credentials?
Simulation: Login with Default Credentials
simulationLog in with a simulated default credential pair.
Simulation Objective
Log in with a simulated default credential pair.
Target
/login
Scenario
Default login
Session Fixation & Session Management
theoryUnderstand why session IDs must rotate after login.
Session Fixation & Session Management
Session Fixation
Attacker gives user a session ID, and it remains valid after login.
Mitigation
- Rotate session ID after login
- Secure cookie flags
- Invalidate sessions on logout
Knowledge Check
How to prevent session fixation?
Simulation: Session Fixation Reuse
simulationProvide a fixed session ID and use it after login.
Simulation Objective
Provide a fixed session ID and use it after login.
Target
/session-test
Scenario
Fixation reuse
JWT Misconfiguration (alg=none)
theoryLearn about forging JWTs when signature isn't checked.
JWT Misconfiguration (alg=none)
JWT Pitfalls
Accepting alg=none or weak secrets allows forging tokens.
Fixes
- Reject alg=none
- Validate signature always
- Use strong secrets + rotate periodically
Knowledge Check
Which vulnerability allows unsigned JWTs?
Simulation: Forge JWT for Admin Access
simulationCraft admin JWT (alg=none or weak-secret).
Simulation Objective
Craft admin JWT (alg=none or weak-secret).
Target
/admin
Scenario
Jwt admin
Password Reset Flaws
theoryWeak reset tokens, long lifetime, predictable values.
Password Reset Flaws
Password Reset Risks
- Predictable or short tokens
- Long-lived reset links
- Tokens exposed in URLs/logs
Best Practices
- Short-lived, single-use tokens
- Server-side validation
- Rate-limit attempts
Knowledge Check
Which is secure practice?
Simulation: Guess Weak Reset Token
simulationGuess short predictable token to reset password.
Simulation Objective
Guess short predictable token to reset password.
Target
/reset-password?token=
Scenario
Guess reset token
Brute-Force & Rate-Limiting Controls
theoryWhy progressive delays and lockouts stop brute-force.
Brute-Force & Rate-Limiting Controls
Brute-force Defenses
- Rate-limiting per IP/account
- Progressive delay after failures
- MFA
Knowledge Check
Which helps block credential stuffing?
Simulation: Brute-Force with Rate-Limit
simulationSimulated brute-force with lockout logic.
Simulation Objective
Simulated brute-force with lockout logic.
Target
/login
Scenario
Rate limit test
Authentication Remediation & Best Practices
theoryFinal summary of secure approaches.
Authentication Remediation & Best Practices
Remediation Checklist
- Strong passwords + MFA
- Session rotation on login
- Strict JWT validation
- Brute-force protections
- Secure password reset tokens
Knowledge Check
Which improves authentication security?