Chapter 21 Further Reading: Authentication and Session Attacks

Standards and Specifications

NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management. The authoritative US government standard for authentication requirements. Covers password policies, MFA, session management, and authentication assurance levels. Essential reading for understanding what "secure authentication" means from a compliance perspective. https://pages.nist.gov/800-63-3/sp800-63b.html
RFC 6749: The OAuth 2.0 Authorization Framework. The foundational specification for OAuth 2.0. Understanding the protocol specification is essential for identifying implementation deviations that create vulnerabilities. https://tools.ietf.org/html/rfc6749
RFC 7519: JSON Web Token (JWT). The JWT specification. Read this alongside the OAuth specification to understand how JWTs are intended to be used and validated. https://tools.ietf.org/html/rfc7519
RFC 7636: Proof Key for Code Exchange (PKCE). The PKCE extension to OAuth 2.0 that prevents authorization code interception. Increasingly required for all OAuth clients, not just public clients. https://tools.ietf.org/html/rfc7636
FIDO2/WebAuthn Specification. The W3C specification for Web Authentication, the foundation of phishing-resistant MFA. Understanding this specification helps assess whether an implementation is correctly leveraging WebAuthn's security properties. https://www.w3.org/TR/webauthn-2/

OWASP Testing Guide — Authentication Testing. The definitive open-source guide for authentication testing methodology, covering password policies, session management, OAuth, and MFA. Provides specific test cases with expected results. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/
OWASP Session Management Cheat Sheet. Practical guidance for session management security, including cookie configuration, token generation, and session lifecycle management. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
OWASP JSON Web Token Cheat Sheet. Security recommendations for JWT implementation, covering algorithm selection, claim validation, key management, and common pitfalls. https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html

"OAuth 2 in Action" by Justin Richer and Antonio Sanso (Manning, 2017). A comprehensive deep dive into OAuth 2.0 from both the developer and attacker perspectives. Covers the protocol's design decisions, security considerations, and common implementation mistakes.
"Hacking APIs" by Corey Ball (No Starch Press, 2022). Covers API authentication attacks including OAuth and JWT exploitation. Particularly strong on practical testing methodology with real-world examples.
"The Web Application Hacker's Handbook" by Dafydd Stuttard and Marcus Pinto (Wiley, 2011). Though older, the chapters on authentication and session management remain foundational. The systematic testing methodology outlined in this book is still widely used.
"Identity Attack Vectors" by Morey J. Haber and Darran Rolls (Apress, 2020). Focuses on identity-based attacks across the enterprise, including Kerberos, SAML, and Active Directory attacks that intersect with web application authentication.

jwt_tool by ticarpi. The most comprehensive JWT testing tool. Documentation includes detailed explanations of each attack technique and example usage. https://github.com/ticarpi/jwt_tool
Burp Suite Sequencer Documentation. Guide to using Burp's session token analysis tool, including interpreting FIPS 140-2 randomness test results. https://portswigger.net/burp/documentation/desktop/tools/sequencer
Hashcat Wiki. Reference for hash modes, attack types, and rule-based cracking. Essential for password hash cracking in authentication assessments. https://hashcat.net/wiki/
Impacket. Python collection of tools for Kerberos attacks (GetUserSPNs, GetNPUsers), NTLM relay, and other Windows authentication protocols. https://github.com/fortra/impacket

"Critical vulnerabilities in JSON Web Token libraries" by Tim McLean (2015). The seminal research paper that documented the JWT "none" algorithm and algorithm confusion attacks. Required reading for understanding JWT security. https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
"OAuth Security Best Current Practice" (IETF Draft). The evolving IETF document that catalogs OAuth security threats and recommended mitigations beyond the base specification. https://tools.ietf.org/html/draft-ietf-oauth-security-topics
**"Lapsus$: Group Profile and Attack Analysis" (Microsoft Security Blog, 2022).** Microsoft's detailed analysis of the Lapsus$ group's tactics, techniques, and procedures, including MFA fatigue and social engineering methods. https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
"An Empirical Study of OAuth Implementations" by Ethan Shernan et al. Academic research analyzing OAuth implementation patterns and common vulnerabilities across major web applications.

"A Critical Analysis of SAML Security" by Juraj Somorovsky (CCS 2012). The foundational research on XML Signature Wrapping attacks against SAML implementations.
"Attacking and Defending OAuth 2.0" by Aaron Parecki (OWASP AppSec). A practitioner's guide to OAuth security testing, covering the most impactful attack techniques and real-world examples.
"Kerberoasting Revisited" by Will Schroeder (DerbyCon). Deep technical analysis of Kerberos service ticket attacks and modern defense strategies.

PortSwigger Web Security Academy — Authentication Labs. Free, structured authentication testing labs with detailed solutions. Covers password attacks, MFA bypass, and OAuth vulnerabilities. https://portswigger.net/web-security/authentication
OWASP Juice Shop. Open-source vulnerable application with authentication challenges ranging from beginner to advanced. https://owasp.org/www-project-juice-shop/
HackTheBox Academy — Authentication Attacks Module. Structured learning path covering credential attacks, session management, and modern authentication bypass techniques. https://academy.hackthebox.com/