Authentication and Session Vulnerabilities

Common Authentication Weaknesses

Authentication is how a web application checks who you are. If attackers find weaknesses here, they can pretend to be someone else or access accounts without permission. Common weaknesses include:

• Using weak passwords, like "123456" or "password";
• Allowing unlimited login attempts without blocking or slowing down attackers;
• Not requiring multi-factor authentication (MFA);
• Storing or sending passwords in plain text.

Example: If a website lets you try to log in as many times as you want, attackers can use a script to guess passwords until they succeed (called "brute forcing").

Session Management Flaws

A session is how a website remembers who you are after you log in. Attackers can target session management to hijack accounts. Common flaws include:

• Using predictable or easily guessed session IDs, like "session=12345";
• Not expiring sessions after logout or a period of inactivity;
• Sending session IDs over unencrypted connections (HTTP instead of HTTPS).

Example: If a site sends session IDs in the URL, someone watching your network traffic can steal your session and act as you (known as "session hijacking").

How Attackers Exploit These Weaknesses

During penetration testing, you look for ways attackers might:

• Guess or brute-force weak passwords;
• Use stolen session tokens to access another user's account;
• Replay old session tokens that are still valid;
• Bypass authentication by manipulating requests or exploiting logic errors.