Broken Authentication and Session Management
Step-by-Step Explanation:
1st Scenario
📌 Old Session Does Not Expire After Password Change:
 |
| Broken Authentication and Session Management |
2nd Scenario
📌 Session Hijacking (Intended Behaviour)
Impact: If the attacker gets the cookies of the victim it will lead to an account takeover.
 |
| Broken Authentication and Session Management |
3rd Scenario
📌 Password reset token does not expire (Insecure Configuration)
 |
| Broken Authentication and Session Management |
4th Scenario
📌 Server security misconfiguration
-> Lack of security headers -> Cache control for a security page
 |
| Broken Authentication and Session Management |
5th Scenario
📌 Broken Authentication to Email Verification Bypass (P4):
Category: P4 >> Broken Authentication and Session Management >> Failure to Invalidate Session >> On Password Reset and/or Change
 |
| Broken Authentication and Session Management |
6th Scenario
📌 Email Verification Bypass (P3/P4)
Impact: Email Verification Bypass
 |
| Broken Authentication and Session Management |
7th Scenario
📌 Old Password Reset Token Not Expiring upon Requesting New One (Sometimes P4)
Note: Some Companies won’t Accept it as a Valid Issue.
 |
| Broken Authentication and Session Management |
8th Scenario
📌 Password Reset Token Not Expiring After Password Change (P4):
 |
| Broken Authentication and Session Management |
Thank you guys for Reading this Post -- Happy Hunting 🐞
Resources: Google & YouTube
Authors: Farhan & Raiders
Support me: If you like to support me, buy me a cup of Coffee☕
![Advent of Cyber 2023 - [Day 11] Jingle Bells, Shadow Spells - Tryhackme](https://blogger.googleusercontent.com/img/a/AVvXsEjvhLIwhAgizmoE_mSLJoAQsbnom9VM6M3PU9GeUpPsF6PQHGL3O3q6OIOfOe3bdk8AQQC7HpiG4LOCRp5VtWa4QPQQ9YEGXUd9UbbhGBlt551ZtTcDG_z-fK6iuicipbKBnbJgnxsJjME41AaZS2X737-Ji_-vGHP7o2L3EIPSgMdzClKnHJk3_EBAsmk=w72-h72-p-k-no-nu)
0 Comments