Chapter 21 Key Takeaways: Authentication and Session Attacks

Core Principles

Authentication is the most critical security boundary. When authentication fails, every downstream security control becomes irrelevant. An attacker who can impersonate a legitimate user has no need to find injection vulnerabilities or bypass WAF rules.
Authentication security is systemic. A single weak link undermines the entire chain. Strong passwords are meaningless if session tokens are predictable. Robust MFA is useless if the application allows step-skipping. Proper JWT verification is irrelevant if the "none" algorithm is accepted.
Test the full authentication lifecycle. Assessment must cover initial credential verification, session establishment, session maintenance, privilege changes, delegation (OAuth), token management (JWT), secondary factors (MFA), and session termination.

Password-based authentication remains the weakest link. Test for weak password policies, credential stuffing defenses, username enumeration, and insecure password storage indicators. Credential stuffing exploits the reality that over 60% of users reuse passwords.
Token-based authentication shifts risk to token management. Bearer tokens grant access based solely on possession. Test for token predictability, insecure transmission, excessive lifespan, and inadequate revocation.

Session tokens must be cryptographically random with at least 128 bits of entropy. Use Burp Sequencer for statistical analysis. Sequential or predictable tokens enable session hijacking.
Session fixation is prevented by regenerating session IDs after authentication. Always verify that the pre-authentication token is different from the post-authentication token.
Cookie security attributes are mandatory, not optional. Every session cookie must have HttpOnly, Secure, and SameSite attributes. Missing attributes create exploitable attack vectors.

Redirect URI validation is the cornerstone of OAuth security. Test for path manipulation, subdomain variations, URL encoding bypasses, and open redirect chaining. Strict exact-match validation is the only reliable defense.
The state parameter prevents CSRF on OAuth flows. Verify it is present, unpredictable, and validated on callback. Missing state parameters allow account linking attacks.

Never trust the algorithm specified in the JWT header. The "none" algorithm attack and algorithm confusion (RS256 to HS256) both exploit implementations that let the token dictate its own verification method. Maintain a server-side allowlist of accepted algorithms.
Validate all JWT claims. Beyond signature verification, check exp, nbf, iss, and aud claims. Test what happens when each claim is removed or modified.
JKU/X5U and KID parameters are injection vectors. These header parameters can direct the server to fetch keys from attacker-controlled URLs or inject into file paths and database queries.

MFA fatigue (push bombing) is a real and effective attack. The Uber/Lapsus$ breach proved that persistent push notifications combined with social engineering can defeat MFA. Number matching, rate limiting, and FIDO2/WebAuthn are the defenses.
MFA implementation logic flaws are more common than cryptographic weaknesses. Test for step-skipping, response manipulation, backup authentication flow bypasses, and recovery code weaknesses.

SAML XML Signature Wrapping (XSW) is a sophisticated but high-impact attack. The signed element validates correctly, but the application processes an attacker-injected unsigned element instead.
Kerberoasting and AS-REP roasting exploit normal protocol behavior. Any authenticated domain user can request service tickets for offline cracking. Defense requires long, random service account passwords and Group Managed Service Accounts.

Recommend phishing-resistant MFA (FIDO2/WebAuthn) for all privileged accounts. It is the only MFA method immune to phishing, MFA fatigue, and adversary-in-the-middle attacks.
JWT security checklist: Reject "none" algorithm, maintain algorithm allowlist, validate all standard claims, validate JKU/X5U against allowlist, sanitize KID parameter, implement token revocation.
Document findings with clear impact statements. Authentication bypasses consistently receive Critical severity ratings because they undermine the entire security model of the application.