Broken Authentication and Session Management Tips
Step-by-Step Explanation
1st Scenario
๐ Old Session Does Not Expire After Password Change
1. Create an Account On Your Target Site
2. Login into two Browsers with the Same Account (Chrome, FireFox. You Can Use Incognito Mode As well)
3. Change Your Password In Chrome, On Successful Password Change Refresh Your Logged in Account In Firefox/Incognito Mode
4. If youโre still logged in Then This Is a Bug
2nd Scenario
๐ Session Hijacking (Intended Behaviour)
Impact: If the attacker gets the cookies of the victim it will lead to an account takeover.
1. Create your account
2. Login to your account
3. Use cookie editor extension in browser
4. Copy all the target cookies
5. Logout your account
6. Paste that cookie in cookie editor extension
7. Refresh the page if you are logged in then this is a session hijacking
3rd Scenario
๐ Password reset token does not expire (Insecure Configuration)
1. Create your account on the target site
2. Request for a forget password token
3. Donโt use that link
4. Instead logged in with your old password and change your email to other
5. Now use that password link sent to the old email and check if you are able to change your password if yes then there is a little bug
4th Scenario
๐ Server security misconfiguration
-> Lack of security headers -> Cache control for a security page
1. Login to the application
2. Navigate around the pages
3. Logout
4. Press (Alt+left-arrow) buttons
5. If you are logged in or can view the pages navigated by the user. Then you found a bug. Check if you are able to change your password if yes then there is a little bug.
Impact: if a person was in a very important page with alot of details and logged out, if another person comes and clicks back (because he didnt close the browser) then data is exposed. User information leaked
5th Scenario
๐ Broken Authentication to Email Verification Bypass (P4)
Category: P4 >> Broken Authentication and Session Management >> Failure to Invalidate Session >> On Password Reset and/or Change
1. First You need to make an account & You will receive an Email verification link
2. Application in my case give less Privileges & Features to access if not verified
3. Logged into the Application & I change the email address to B
4. A Verification Link was Sent & I verified that
5. Now I again Changed the email back to the Email I have entered at the time of account creation
6. It showed me that my Email is Verified
7. Hence, A Succesful Email verification was Bypassed as I havenโt verified the link which was sent to me at the time of account creation but still my email got verified
8. Didnโt Receive any code again for verification when I changed back my email & When I open the account it showed in my Profile that its verified email
Impact: Email Verification was bypassed due to Broken Authentication Mechanism , Thus more Privileged accounts can be accessed by an attacker making the website prone to Future Attacks.
6th Scenario
๐ Email Verification Bypass (P3-P4)
Impact: Email Verification Bypass
1. First You need to create an account with Your Own Email Address
2. After Creating An Account A Verification Link will be sent to your account
3. Donโt Use The Email Verification link. Change Your Email to Victimโs Email
4. Now Go into Your Email and Click on Your Own Email Verification Link
5. If the Victimโs Email Gets Verified then This is a Bug
7th Scenario
๐ Old Password Reset Token Not Expiring upon Requesting New One (Sometimes P4)
Note: Some Companies wonโt Accept it as a Valid Issue
1. First You need to create an account with a Valid Email Address
2. After Creating An Account log out from your Account and Navigate on Forgot Password Page
3. Request a Password Reset Link for your Account. A Verification Link will be sent to your account
4. Without Using this Password Reset Link Request A New Password Reset Link
5. Now go into Your email and Use 1st Password Reset Link Rather than Using 2nd One And Change Your Password
6. If You Are Able to Change Your Password Than This Is a tiny Bug
8th Scenario
๐ Password Reset Token Not Expiring After Password Change (P4)
1. First You need to create an account with a Valid Email Address
2. After Creating An Account log out from your Account and Navigate to Forgot Password Page
3. Request a Password Reset Link for your Account
4. Use The Password Reset Link And Change The Password, After Changing the Password Login to Your Account
5. Now Use The Old Password Reset Link To Change The Password Again
6. If You Are Able to Change Your Password Again Than This Is a tiny Bug
Thank you guys for Reading this Post โ Happy Hunting ๐
Resources: Google & YouTube
Authors: Farhan & Raiders
Support me: If you like to support me, buy me a cup of coffee โ
Follow me: @0xKayala | Satya Prakash