Chapter 21 Quiz: Authentication and Session Attacks

Test your understanding of authentication mechanisms, session management vulnerabilities, OAuth attacks, JWT exploitation, MFA bypass, and SSO attacks.

Question 1. What is the primary risk of an application returning different error messages for "invalid username" versus "invalid password" during login?

A) It allows attackers to bypass authentication entirely B) It enables username enumeration, allowing attackers to build a list of valid accounts C) It causes the application to leak password hashes D) It violates GDPR data protection requirements

Question 2. A session token changes from sess_10042 to sess_10043 between two sequential authentication requests. What vulnerability does this indicate?

A) Session hijacking B) Session fixation C) Predictable session tokens (insufficient entropy) D) Cross-site request forgery

Question 3. During an OAuth authorization flow, an attacker modifies the redirect_uri parameter to point to their own server. If the authorization server does not perform strict redirect URI validation, what is the immediate consequence?

A) The attacker obtains the user's password B) The authorization code or access token is delivered to the attacker's server C) The user's account is permanently compromised D) The identity provider's private key is exposed

Question 4. A JWT has the header {"alg": "none", "typ": "JWT"} and an empty signature field. What does this represent?

A) A properly signed JWT using the latest encryption standard B) An unsigned JWT that should be rejected by a secure implementation C) A JWT signed with a symmetric key derived from "none" D) A JWT that has had its signature stripped by a proxy server

Question 5. In a JWT algorithm confusion attack (RS256 to HS256), why does the forged token's signature validate?

A) HS256 does not require a signature B) The server uses its RSA public key as the HMAC secret, matching the attacker's signature C) The server falls back to no verification when algorithms don't match D) The attacker has obtained the server's private RSA key

Question 6. What is "MFA fatigue" (also called MFA bombing)?

A) A vulnerability in the TOTP algorithm that reduces code entropy over time B) Repeatedly sending push notification MFA prompts until the user approves one C) An attack that bypasses MFA by exploiting the password reset flow D) A denial-of-service attack that overwhelms the MFA server

Question 7. Which of the following cookie attributes prevents JavaScript from accessing the cookie value?

A) Secure B) SameSite=Strict C) HttpOnly D) Path=/

Question 8. A session fixation attack is successful when:

A) The application uses HTTPS but the session cookie lacks the Secure flag B) The application does not regenerate the session identifier after authentication C) The session token is stored in localStorage instead of a cookie D) The application uses IP-based session binding

Question 9. In PKCE (Proof Key for Code Exchange), what is the purpose of the code verifier and code challenge?

A) To encrypt the authorization code during transmission B) To verify the identity of the authorization server C) To ensure the entity exchanging the authorization code is the same one that initiated the flow D) To replace the need for client authentication entirely

Question 10. An XML Signature Wrapping (XSW) attack against SAML works by:

A) Removing the XML signature entirely from the SAML assertion B) Encrypting the SAML assertion with a different key C) Moving the signed assertion and inserting an unsigned malicious assertion that the application processes D) Modifying the signature algorithm to "none"

Question 11. During a Kerberoasting attack, what allows any authenticated domain user to request service tickets?

A) A vulnerability in the Kerberos protocol B) A misconfiguration in Active Directory C) It is a normal feature of Kerberos — any authenticated user can request tickets for services with SPNs D) The attacker must first compromise the KRBTGT account

Question 12. Which of the following is the most phishing-resistant form of MFA?

A) SMS-based one-time codes B) TOTP (Time-based One-Time Password) apps like Google Authenticator C) Push notifications with number matching D) FIDO2/WebAuthn with hardware security keys

Question 13. A JWT includes the header parameter "jku": "https://attacker.com/jwks.json". If the server processes this without validation, what happens?

A) The server sends its private key to the attacker's server B) The server fetches the attacker's public key and uses it to verify the token's signature C) The server redirects the user to the attacker's website D) The JWT is automatically rejected because JKU is not a standard parameter

Question 14. What is the primary defense against credential stuffing attacks?

A) Requiring password complexity (uppercase, numbers, symbols) B) Encrypting passwords with AES-256 C) Rate limiting with CAPTCHA/proof-of-work after suspicious activity D) Using HTTPS for all authentication requests

Question 15. An application's MFA implementation verifies the TOTP code via a separate API endpoint. After entering the correct password, the server returns a response indicating MFA is required. An attacker skips the MFA step and directly accesses /api/dashboard. This vulnerability is best described as:

A) TOTP brute-force B) MFA implementation logic flaw (step skipping) C) Session fixation D) Authentication bypass via SQL injection

Question 16. In the context of Kerberos authentication, what is a "Golden Ticket" attack?

A) Forging a Kerberos TGT using the KRBTGT account hash, allowing impersonation of any user B) Intercepting a valid Kerberos ticket from network traffic C) Brute-forcing the Kerberos encryption key using a dictionary attack D) Exploiting a vulnerability in the Kerberos timestamp validation

Question 17. Which OAuth 2.0 parameter prevents Cross-Site Request Forgery attacks against the authorization flow?

A) scope B) response_type C) state D) redirect_uri

Question 18. An application uses JWTs with RS256 for authentication. The best defense against the "none" algorithm attack is:

A) Checking that the signature is at least 256 bits long B) Explicitly maintaining an allowlist of accepted algorithms and rejecting all others C) Using HTTPS to prevent token tampering in transit D) Setting a short expiration time on all tokens

Answer Key

  1. B — Username enumeration enables attackers to identify valid accounts before attempting password attacks, significantly reducing the effort required for brute-force or credential stuffing.

  2. C — Sequential session tokens with insufficient entropy are trivially predictable, allowing an attacker to guess valid session identifiers for other users.

  3. B — The authorization code or access token is sent to whichever URI is specified in the redirect_uri parameter. If the attacker controls this URI, they receive the authentication material.

  4. B — A JWT with alg: none is an unsigned token. Secure implementations must explicitly reject the "none" algorithm and require valid signatures.

  5. B — The server's RSA public key is publicly available. When the attacker signs with HS256 using this public key, and the server verifies HS256 using its "key" (the public key), the signatures match.

  6. B — MFA fatigue exploits human psychology by sending repeated push notifications until the target approves one, either accidentally or to stop the disruption.

  7. C — The HttpOnly flag prevents client-side JavaScript from accessing the cookie via document.cookie, mitigating XSS-based session theft.

  8. B — Session fixation succeeds when the application accepts an externally set session ID and does not issue a new one upon authentication, allowing the attacker's pre-set token to become associated with the victim's session.

  9. C — PKCE binds the authorization code to the client that initiated the flow. The code exchange requires the original code verifier, which only the legitimate client possesses.

  10. C — XSW attacks exploit how XML processors locate and validate signatures versus how they extract data. The signed (valid) element remains intact, but a malicious unsigned element is inserted for the application to process.

  11. C — Kerberoasting leverages normal Kerberos behavior: any authenticated user can request service tickets for any SPN. The encryption uses the service account's password hash, enabling offline cracking.

  12. D — FIDO2/WebAuthn with hardware security keys is phishing-resistant because authentication is cryptographically bound to the specific origin (domain) and requires physical interaction with the device.

  13. B — The jku parameter directs the server to fetch public keys from a specified URL. If not validated against an allowlist, the server accepts the attacker's key and validates the attacker's forged signature.

  14. C — Rate limiting with progressive challenges (CAPTCHA, proof-of-work) is the most effective defense against credential stuffing, which relies on high-volume automated login attempts.

  15. B — This is a classic MFA implementation logic flaw where the server does not enforce the MFA verification step as a prerequisite for accessing authenticated resources.

  16. A — A Golden Ticket is a forged Kerberos Ticket-Granting Ticket (TGT) created using the KRBTGT account's password hash, granting the attacker the ability to impersonate any user indefinitely.

  17. C — The state parameter is a CSRF token that links the authorization request to the user's session, preventing attackers from injecting their own authorization codes into the victim's session.

  18. B — Maintaining an algorithm allowlist and explicitly rejecting none and any unexpected algorithms is the definitive defense. The verification code should never trust the algorithm specified in the token header.

Return to Chapter 21: Authentication and Session Attacks