Broken Authentication and Session Management
Step-by-Step Explanation:
1st Scenario
📌 Old Session Does Not Expire After Password Change:
Broken Authentication and Session Management |
2nd Scenario
📌 Session Hijacking (Intended Behaviour)
Impact: If the attacker gets the cookies of the victim it will lead to an account takeover.
Broken Authentication and Session Management |
3rd Scenario
📌 Password reset token does not expire (Insecure Configuration)
Broken Authentication and Session Management |
4th Scenario
📌 Server security misconfiguration
-> Lack of security headers -> Cache control for a security page
Broken Authentication and Session Management |
5th Scenario
📌 Broken Authentication to Email Verification Bypass (P4):
Category: P4 >> Broken Authentication and Session Management >> Failure to Invalidate Session >> On Password Reset and/or Change
Broken Authentication and Session Management |
6th Scenario
📌 Email Verification Bypass (P3/P4)
Impact: Email Verification Bypass
Broken Authentication and Session Management |
7th Scenario
📌 Old Password Reset Token Not Expiring upon Requesting New One (Sometimes P4)
Note: Some Companies won’t Accept it as a Valid Issue.
Broken Authentication and Session Management |
8th Scenario
📌 Password Reset Token Not Expiring After Password Change (P4):
Broken Authentication and Session Management |
Thank you guys for Reading this Post -- Happy Hunting 🐞
Resources: Google & YouTube
Authors: Farhan & Raiders
Support me: If you like to support me, buy me a cup of Coffee☕
0 Comments