Identification and Authentication Failures (WIP)
Flaw or lack of proper verification of the user's identity before granting access to a system or application. Involves issues of managing session controls, weak password policies, missing MFA, and unprotected brute-force attacks, among others.
Here is a typical example of this vulnerability as follows:
A website manages sessions with an ID, but it is weak and guessable. If we go to the Inspect>Application>Cookies tab, we can check for the session ID
Name Value HttpOnly
... ... ...
SessionID 3
... ... ...Sometimes we can find patterns in the generation of the IDs, for example, that the generation is time-based. In this case, we can see that the IDs are generated based on the seconds that have passed
# First generated
Name Value HttpOnly
... ... ...
SessionID 1652592563
... ... ...
# Second generated 5 seconds after
Name Value HttpOnly
... ... ...
SessionID 1652592568
... ... ...A standard for this is often the number of seconds from January 1st of 1970 (Unix Standard). We can check this with a simple calculation as follows:
// On the browser console, we can use JS to do this process
new Date($ID*1000);
//This will output an approximation to the date of creation of the Session IDIt is also common to use IDs generated with well-known hashes
# First generated
Name Value HttpOnly
... ... ...
SessionID e4da3b7fbbce2345d7772b0674a318d5
... ... ...Last updated