Identification and Authentication Failures
Flaw or lack of proper verification of user's identity before granting access to a system or application. Involves issues of managing session controls, weak password policies, missing MFA, and unprotected brute-force attacks, among others.
Here is a typical example of this vulnerability as follows:
A website manages sessions with an ID but is weak and guessable. If we go to the Inspect>Application>Cookies tab, we can check for the session ID
Name Value HttpOnly
... ... ...
SessionID 3
... ... ...Sometimes we can find patterns in the generation of the IDs, for example, that the generation is time-based. In this case, we can see that the IDs are generated based on the seconds that have passed
# First generated
Name Value HttpOnly
... ... ...
SessionID 1652592563
... ... ...
# Second generated 5 seconds after
Name Value HttpOnly
... ... ...
SessionID 1652592568
... ... ...A standard for this is often the number of seconds from January 1st of 1970 (Unix Standard). We can check this with a simple calculation as follows:
// On the browser console we can use JS to do this process
new Date($ID*1000);
//This will output an approximation to the date of creation of the Session IDIs common also to use ID generated with well-known hashes
# First generated
Name Value HttpOnly
... ... ...
SessionID e4da3b7fbbce2345d7772b0674a318d5
... ... ...Last updated