Broken Authentication Testing

Purpose

Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems. This skill covers testing methodologies for password policies, session handling, multi-factor authentication, and credential management.

Prerequisites

🧠 Knowledge Modules (Fractal Skills)

1. Required Knowledge

2. Required Tools

3. Required Access

4. Phase 1: Authentication Mechanism Analysis

5. Phase 2: Password Policy Testing

6. Phase 3: Credential Enumeration

7. Phase 4: Brute Force Testing

8. Phase 5: Credential Stuffing

9. Phase 6: Session Management Testing

10. Phase 7: Session Fixation Testing

11. Phase 8: Session Timeout Testing

12. Phase 9: Multi-Factor Authentication Testing

13. Phase 10: Password Reset Testing

14. Common Vulnerability Types

15. Credential Testing Payloads

16. Session Cookie Flags

17. Rate Limiting Bypass Headers

18. Legal Requirements

19. Technical Limitations

20. Scope Considerations

21. Example 1: Account Lockout Bypass

22. Example 2: JWT Token Attack

23. Example 3: Password Reset Token Exploitation