Authentication and Session Management Vulnerabilities

#Breaking Authentication — When Login Systems Fail#link

After exploring injection vulnerabilities, we now turn to authentication and session management — the mechanisms that determine who a user is and whether they should have access to specific resources. Broken authentication is consistently one of the most exploited categories in real-world breaches.

How Authentication Should Work

A secure authentication system verifies a user's identity (usually with a username and password), creates a session, and maintains that session across subsequent requests. Each step in this process has potential vulnerabilities that attackers exploit.

Secure Authentication Flow:

1. User submits credentials → POST /login {username, password}
2. Server validates credentials against stored hash
3. Server creates session → Set-Cookie: session_id=random_token
4. Server stores session → session_store[random_token] = {user_id, expiry}
5. Subsequent requests → Cookie: session_id=random_token
6. Server validates session → Look up token, check expiry, grant access

Credential-Based Attacks

The most straightforward authentication attack is guessing or brute-forcing credentials. Despite being well-understood, credential attacks remain extremely effective because users consistently choose weak passwords and organizations often lack proper rate limiting.

# Using Hydra for brute-force login testing (authorized lab only)
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
  http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect:H=Cookie: PHPSESSID=abc123; security=low" \
  -V -f -t 4

DVWA includes a brute-force vulnerability page specifically for practicing this technique. Set security to 'Low' and try it with the tools above. Notice how the application gives different responses for valid vs. invalid usernames — this information leakage makes the attack much more efficient.

Credential Stuffing and Password Spraying

Modern credential attacks are more sophisticated than simple brute-forcing. Credential stuffing uses username/password pairs from previous data breaches, exploiting the fact that people reuse passwords across services. Password spraying tries one common password against many accounts, avoiding lockout triggers.

Session Management Flaws

Even with strong passwords, authentication can fail if session management is flawed. Sessions are the mechanism that keeps you logged in after authentication, and they are a prime target for attackers.

Common session management vulnerabilities include predictable session tokens, sessions that never expire, session fixation, and session tokens exposed in URLs.

# Example: Predictable session tokens
# If session IDs are sequential:
# User A logs in → session_id = 1001
# User B logs in → session_id = 1002
# Attacker can predict session_id = 1003 for the next user

# Example: Session token in URL (information leakage)
http://example.com/dashboard?session_id=abc123def456
# This gets logged in browser history, server logs, proxy logs,
# and can be leaked via the Referer header to third-party sites

Session Fixation Attack

Session fixation is a clever attack where the attacker sets the victim's session ID before the victim logs in. If the application does not regenerate the session ID after authentication, the attacker knows the authenticated session ID.

Session Fixation Attack Steps:

1. Attacker visits the site → receives session_id = FIXED123
2. Attacker sends victim a link with the session ID:
   http://example.com/login?session_id=FIXED123
3. Victim clicks link and logs in
4. Application authenticates session_id = FIXED123
5. Attacker uses session_id = FIXED123 → now authenticated as victim!

The fix: Regenerate session ID after successful login

Password Storage Vulnerabilities

How passwords are stored is just as important as how they are transmitted. Weak password storage means that even a database breach can expose all user credentials.

# Python — Proper password hashing with bcrypt
import bcrypt

# Hashing a password
password = b"user_password"
salt = bcrypt.gensalt(rounds=12)  # 2^12 iterations
hashed = bcrypt.hashpw(password, salt)
# Store 'hashed' in the database

# Verifying a password
if bcrypt.checkpw(password, stored_hash):
    print("Login successful")
else:
    print("Invalid password")

Multi-Factor Authentication (MFA) Bypass

MFA adds an extra layer of security, but it is not immune to attacks. Common MFA bypass techniques include:

• ▪Real-time phishing: Proxy that captures both password and MFA token as the user enters them
• ▪MFA fatigue: Sending repeated push notifications until the user accidentally approves
• ▪SIM swapping: Convincing the mobile carrier to transfer the victim's phone number
• ▪Backup code theft: Stealing the one-time backup codes provided during MFA setup
• ▪Race condition: Using the MFA token before the victim completes verification

Comprehensive Authentication Defense

Building a secure authentication system requires attention to every detail. Here is a comprehensive checklist:

• ▪Enforce strong password policies (minimum length, complexity requirements)
• ▪Implement rate limiting and account lockout (with care to avoid denial of service)
• ▪Use bcrypt, Argon2id, or PBKDF2 for password hashing — never MD5 or SHA-1
• ▪Implement MFA — preferably TOTP (Google Authenticator) or hardware keys (YubiKey)
• ▪Regenerate session IDs after login, privilege changes, and periodically
• ▪Set secure cookie attributes: HttpOnly, Secure, SameSite=Strict
• ▪Implement proper session timeout (idle and absolute)
• ▪Never expose session tokens in URLs
• ▪Log and monitor authentication events (failed logins, password changes, MFA events)
• ▪Use HTTPS everywhere — authentication over HTTP is always compromised