Chapter 21 Exercises: Authentication and Session Attacks

⚠️ Important: All exercises must be performed in your authorized lab environment only. Never test these techniques against systems without explicit written permission.

Exercise 1: Password Policy Assessment (Beginner)

Objective: Evaluate the password policy enforcement of ShopStack's registration endpoint.

Instructions: 1. Using Burp Suite or curl, send registration requests to /api/v1/auth/register with increasingly weak passwords 2. Test: empty password, single character, "password", "123456", username as password, 8-character dictionary word, password from known breaches 3. Document the minimum password the application accepts 4. Compare against NIST SP 800-63B guidelines

Deliverable: A table mapping each test password to the application's response, with a risk assessment of the enforced policy.

Exercise 2: Username Enumeration (Beginner)

Objective: Determine whether ShopStack's login endpoint leaks information about valid usernames.

Instructions: 1. Send a login request with a known valid username and an incorrect password 2. Send a login request with a definitely invalid username and any password 3. Compare: HTTP status codes, response body text, response size, response headers, and response time (measure 10+ attempts for each to establish a timing baseline) 4. Test the password reset endpoint for similar enumeration vectors

Deliverable: A detailed comparison table noting all observable differences, with a severity rating for any enumeration findings.

Exercise 3: Session Token Analysis (Intermediate)

Objective: Evaluate the quality of ShopStack's session tokens using statistical analysis.

Instructions: 1. Write a script to authenticate 200 times and collect the resulting session tokens 2. Analyze the tokens for: length, character set, sequential patterns, timestamp embedding, Base64-encoded content 3. If possible, feed the tokens into Burp Suite's Sequencer tool for FIPS 140-2 randomness testing 4. Calculate the effective entropy of the tokens

Deliverable: A token analysis report including raw data, statistical analysis results, and a security assessment of the token generation mechanism.

Exercise 4: Session Fixation Testing (Intermediate)

Objective: Test whether ShopStack regenerates session identifiers upon authentication.

Instructions: 1. Visit the ShopStack login page and note the session token assigned to your unauthenticated session 2. Authenticate with valid credentials 3. Compare the pre-authentication and post-authentication session tokens 4. If the token changes, verify that the old token is invalidated 5. Test whether you can manually set a session token (via URL parameter or cookie) before authentication and have it persist after login

Deliverable: A step-by-step testing log with all session tokens documented and a determination of whether session fixation is possible.

Exercise 5: Cookie Security Attribute Audit (Beginner)

Objective: Audit all cookies set by ShopStack for security attributes.

Instructions: 1. Navigate through ShopStack's complete user journey (registration, login, browsing, checkout, logout) 2. For each cookie set by the application, document: name, value format, HttpOnly, Secure, SameSite, Domain, Path, Expires/Max-Age 3. Identify any cookies containing sensitive data (session tokens, user identifiers, preferences) 4. For each missing or misconfigured attribute, explain the security implication

Deliverable: A cookie audit spreadsheet with a row per cookie and a column per attribute, with risk assessments for any missing security attributes.

Exercise 6: OAuth Redirect URI Testing (Advanced)

Objective: Test ShopStack's OAuth implementation for redirect URI manipulation vulnerabilities.

Instructions: 1. Identify ShopStack's OAuth authorization endpoint and registered redirect URIs 2. Using Burp Suite, intercept the OAuth authorization request 3. Systematically test the following redirect URI modifications: - Open redirect on the callback domain - Subdomain variations - Path traversal - URL encoding variations - Parameter pollution (multiple redirect_uri parameters) - Fragment injection 4. Test whether the state parameter is present and validated 5. If using the implicit flow, test whether the token is exposed via Referer headers

Deliverable: An OAuth security assessment documenting each test, the application's response, and the severity of any findings.

Exercise 7: JWT Analysis and Exploitation (Advanced)

Objective: Analyze and test ShopStack's JWT implementation for common vulnerabilities.

Instructions: 1. Authenticate to ShopStack and capture the JWT from the response 2. Decode the JWT (header and payload) using jwt.io, jwt_tool, or your own code 3. Document all claims in the payload and all header parameters 4. Test the following attacks: - Change alg to none and remove the signature - If RS256, attempt algorithm confusion to HS256 (requires the public key) - Modify payload claims (change role, extend expiration) - Remove or modify standard claims (exp, iss, aud) one at a time 5. If a jku or x5u parameter exists, test for URL injection

Deliverable: A JWT security assessment including the decoded token structure, results of each attack test, and recommended remediations.

Exercise 8: JWT Analyzer Tool Development (Advanced)

Objective: Build a Python tool that automates JWT security analysis.

Instructions: 1. Write a Python script that accepts a JWT as input 2. The tool should: - Decode and display the header and payload - Check for the none algorithm vulnerability - Identify weak algorithms (HS256 with guessable keys) - Verify expiration and other time-based claims - Attempt common HMAC secrets from a wordlist - Check for sensitive data in the payload - Generate modified tokens for testing 3. Use the provided example-01-jwt-analyzer.py as a starting point

Deliverable: A working Python tool with documented usage instructions and example output.

Exercise 9: MFA Implementation Assessment (Intermediate)

Objective: Evaluate ShopStack's multi-factor authentication implementation for bypass vulnerabilities.

Instructions: 1. Enable MFA on your ShopStack test account (TOTP-based) 2. Test each of the following bypass techniques: - Skip the MFA step by directly accessing post-authentication endpoints - Submit MFA verification with an empty code - Submit incorrect codes to test rate limiting - Test whether backup/recovery codes work and are properly invalidated after use - Verify that MFA is required on all authentication flows (password login, OAuth, API key generation) 3. If push-based MFA is available, assess whether number matching is required

Deliverable: An MFA bypass assessment checklist with pass/fail status for each test and remediation recommendations.

Exercise 10: Session Tester Tool Development (Intermediate)

Objective: Build a Python tool for automated session management testing.

Instructions: 1. Write a Python script that tests session management security 2. The tool should test for: - Session ID randomness (collect N tokens and perform basic statistical analysis) - Session fixation (compare pre/post authentication tokens) - Session expiration (test access after configurable time periods) - Cookie attribute verification (HttpOnly, Secure, SameSite) - Concurrent session handling (test if multiple sessions are allowed) 3. Use the provided example-02-session-tester.py as a starting point

Deliverable: A working Python tool that generates a session security report.

Exercise 11: Credential Stuffing Simulation (Intermediate)

Objective: Assess ShopStack's defenses against credential stuffing attacks.

Instructions: 1. Create a test wordlist with 100 username/password pairs (use dummy data) 2. Write a script that submits login attempts at a controlled rate 3. Document ShopStack's responses: - At what point is rate limiting triggered? - Does the application present CAPTCHA? - Are accounts locked after failed attempts? If so, how many? - Do response times change as attempt count increases? 4. Test whether rate limiting can be bypassed using X-Forwarded-For headers

Deliverable: A credential stuffing resilience report with metrics on detection and prevention thresholds.

Exercise 12: SAML Response Manipulation (Advanced)

Objective: Test ShopStack's SAML SSO implementation for response manipulation vulnerabilities.

Instructions: 1. Set up a Keycloak instance as an Identity Provider for ShopStack's enterprise SSO 2. Capture a valid SAML response using Burp Suite 3. Test the following manipulations: - Remove the signature and submit the modified response - Modify the NameID to impersonate a different user - Change attribute values (e.g., role from "user" to "admin") - Replay a previously captured SAML assertion - Test XML Signature Wrapping (XSW) variants 4. Test whether the application validates NotOnOrAfter conditions

Deliverable: A SAML security assessment documenting each manipulation attempt and the application's response.

Exercise 13: Kerberoasting Lab (Advanced)

Objective: Perform a Kerberoasting attack in your lab Active Directory environment.

Instructions: 1. In your home lab AD environment, create a service account with an SPN 2. From a domain-joined machine, use Impacket's GetUserSPNs to request service tickets 3. Export the ticket hashes in Hashcat format 4. Attempt to crack the hashes using Hashcat with a common wordlist 5. Calculate the time required to crack passwords of different strengths (8-char, 12-char, 16-char, 20-char with varying complexity) 6. Document the complete attack chain and recommend mitigations

Deliverable: A Kerberoasting lab report including captured hashes (from your lab only), cracking statistics, and recommendations for service account password policies.

Exercise 14: Full Authentication Assessment Report (Advanced)

Objective: Conduct a comprehensive authentication and session management assessment of ShopStack.

Instructions: 1. Following the methodology outlined in Section 21.7, conduct a full assessment covering: - Password policy and storage - Session management - OAuth implementation - JWT security - MFA implementation - Cookie security 2. Prioritize findings by CVSS score 3. Include reproduction steps for each finding 4. Provide remediation recommendations with estimated effort

Deliverable: A professional-quality penetration test report focused on authentication and session management, using the template format from Appendix B.

Exercise 15: MedSecure Authentication Audit (Intermediate)

Objective: Assess the MedSecure patient portal's authentication mechanisms with healthcare-specific considerations.

Instructions: 1. Test MedSecure's login endpoint for all standard authentication weaknesses 2. Specifically evaluate healthcare-relevant controls: - Session timeout compliance (HIPAA requires automatic logoff) - Audit trail completeness (all auth events logged) - Emergency access ("break the glass") mechanism security - Patient vs. clinician role separation 3. Test whether different clinical roles (doctor, nurse, admin, billing) have appropriate access boundaries 4. Verify that authentication events include sufficient detail for forensic analysis

Deliverable: A healthcare-focused authentication audit report with specific references to HIPAA and HITECH requirements.

Exercise 16: Password Hash Cracking Lab (Intermediate)

Objective: Practice password hash identification and cracking techniques.

Instructions: 1. In your lab environment, obtain the following hash types: MD5, SHA-256, bcrypt, NTLM, Kerberos TGS (from your Kerberoasting exercise) 2. For each hash type: - Identify the hash format - Determine the appropriate Hashcat mode - Attempt dictionary attack with rockyou.txt - Attempt rule-based attack with best64.rule - Time the cracking attempt and calculate the crack rate (hashes/second) 3. Compare cracking speeds across hash types and draw conclusions about password storage security

Deliverable: A hash cracking analysis report comparing hash types, cracking speeds, and security implications.

Exercise 17: Token Replay and Revocation Testing (Intermediate)

Objective: Test whether ShopStack properly invalidates tokens after session-ending events.

Instructions: 1. Authenticate and capture your access token and refresh token 2. Test token validity after each of the following events: - Logout - Password change - Account deactivation - Token refresh (is the old refresh token invalidated?) - Permission change (role change from admin to user) 3. Test whether tokens from one ShopStack environment (staging) work in another (production) 4. Test concurrent session limits — can you maintain unlimited active sessions?

Deliverable: A token lifecycle security assessment documenting the results of each revocation test.

Exercise 18: Home Lab Security Infrastructure (Beginner)

Objective: Set up a complete authentication testing lab environment.

Instructions: 1. Using Docker Compose, deploy the authentication lab environment described in Section 21.9 2. Configure Keycloak as an OAuth/OIDC/SAML identity provider 3. Set up Burp Suite to intercept traffic from your lab applications 4. Complete at least 3 authentication-related challenges in OWASP Juice Shop 5. Complete at least 3 authentication lessons in WebGoat 6. Document your lab setup with screenshots and configuration files

Deliverable: A lab setup guide documenting the complete environment with screenshots of successful challenge completions.

Return to Chapter 21: Authentication and Session Attacks