Identification and Authentication Failures (WIP)

Flaw or lack of proper verification of the user's identity before granting access to a system or application. Involves issues of managing session controls, weak password policies, missing MFA, and unprotected brute-force attacks, among others.

Here is a typical example of this vulnerability as follows:

A website manages sessions with an ID, but it is weak and guessable. If we go to the Inspect>Application>Cookies tab, we can check for the session ID

Example Output

Name               Value                              HttpOnly
...                ...                                ...
SessionID           3
...                ...                                ...

In this case, the session ID is assigned sequentially, so we can assume there are previously used IDs and set them to try to access different locations on the page

Sometimes we can find patterns in the generation of the IDs, for example, that the generation is time-based. In this case, we can see that the IDs are generated based on the seconds that have passed

Example Output

# First generated
Name               Value                              HttpOnly
...                ...                                ...
SessionID         1652592563
...                ...                                ...

# Second  generated 5 seconds after
Name               Value                              HttpOnly
...                ...                                ...
SessionID         1652592568
...                ...                                ...

A standard for this is often the number of seconds from January 1st of 1970 (Unix Standard). We can check this with a simple calculation as follows:

// On the browser console, we can use JS to do this process
new Date($ID*1000);
//This will output an approximation to the date of creation of the Session ID

It is also common to use IDs generated with well-known hashes

Example Output

# First generated
Name               Value                              HttpOnly
...                ...                                ...
SessionID     e4da3b7fbbce2345d7772b0674a318d5
...                ...                                ...

We can verify this using tools such as hash-identifier and then crack them with services such as hashcat or crackstation

PreviousSecurity Logging and Monitoring Failures (WIP)NextSecurity Misconfiguration (WIP)

Last updated 8 months ago