Intermediate Web — OWASP Top 10

Broken Authentication and Session Management

Authentication failures allow attackers to impersonate legitimate users. They range from weak passwords to incorrect session token and JWT implementations.

Brute Force and Credential Stuffing

Brute force: exhaustively tries password combinations. Credential stuffing: uses leaked credential lists from other services.

Test tool (own environment / authorized):
hydra -l admin@example.com -P wordlist.txt https-post-form \
  "//example.com/login:email=^USER^&password=^PASS^:Invalid credentials"

Mitigations:

  • Rate limiting per IP and per account.
  • Progressive lockout after N attempts.
  • CAPTCHA on login forms.
  • Email alerts on login from a new device.

Session Fixation

The attacker sets the session ID before authentication.

1. Attacker obtains a valid session ID: GET /login → Set-Cookie: SESSID=abc123
2. Sends link to victim: https://example.com/login?SESSID=abc123
3. Victim logs in with that session ID
4. Attacker uses the same SESSID abc123 — now authenticated as the victim

Prevention: regenerate the session ID after successful authentication.

session_start();
// After validating credentials:
session_regenerate_id(true); // new ID, destroys the old one
$_SESSION['user_id'] = $user->id;

Weak JWT — “none” Algorithm and HS256 vs RS256

JWT Header: {"alg":"none","typ":"JWT"}
Payload:    {"sub":"1","role":"admin"}
Signature:  (empty)

Older libraries accepted alg:none without signature verification.

HS256 vs RS256:
- HS256: shared secret — if the server is compromised, all JWTs are compromised.
- RS256: private key only on the auth server; other services verify with the public key only.
import jwt

# WRONG — not specifying algorithms allows bypass
payload = jwt.decode(token, secret)

# CORRECT
payload = jwt.decode(token, secret, algorithms=["HS256"])

Predictable Session Tokens

// Weak generation (avoid)
session_id = str(user_id) + str(int(time.time()))

// Secure generation
import secrets
session_id = secrets.token_urlsafe(32)  # 256 bits of entropy

Secure Authentication Checklist

  • Passwords stored with bcrypt/argon2 (appropriate cost factor).
  • MFA enabled for privileged accounts.
  • Session expiry after inactivity (e.g., 30 min).
  • Logout invalidates the token/session server-side.
  • HTTPS enforced; cookies with Secure and HttpOnly.
  • Do not reveal whether the user exists in error messages (“Invalid credentials”, not “User not found”).
  • Monitor suspicious login attempts with real-time alerts.