Identification and Authentication Failures (WIP)

Flaw or lack of proper verification of the user's identity before granting access to a system or application. Involves issues of managing session controls, weak password policies, missing MFA, and unprotected brute-force attacks, among others.

Here is a typical example of this vulnerability as follows:

  • A website manages sessions with an ID, but it is weak and guessable. If we go to the Inspect>Application>Cookies tab, we can check for the session ID

Example Output
Name               Value                              HttpOnly
...                ...                                ...
SessionID           3
...                ...                                ...

In this case, the session ID is assigned sequentially, so we can assume there are previously used IDs and set them to try to access different locations on the page

  • Sometimes we can find patterns in the generation of the IDs, for example, that the generation is time-based. In this case, we can see that the IDs are generated based on the seconds that have passed

Example Output
# First generated
Name               Value                              HttpOnly
...                ...                                ...
SessionID         1652592563
...                ...                                ...

# Second  generated 5 seconds after
Name               Value                              HttpOnly
...                ...                                ...
SessionID         1652592568
...                ...                                ...

  • A standard for this is often the number of seconds from January 1st of 1970 (Unix Standard). We can check this with a simple calculation as follows:

  • It is also common to use IDs generated with well-known hashes

We can verify this using tools such as hash-identifier and then crack them with services such as hashcat or crackstation

PreviousSecurity Logging and Monitoring Failures (WIP)NextSecurity Misconfiguration (WIP)

Last updated