Authentication (Portswigger Academy)
Authentication is the process of verifying the identity of a given user or client.
Different types of authentication can be categorized into three authentication factors:
Something you know, such as a password or the answer to a security question -> knowledge factor
Something you have, such as a mobile phone or security token -> possession factor
Something you are, such as biometric features or patterns of behaviour -> inherence factors.
How do Vulnerabilities arise?
Most vulnerabilities in authentication mechanisms arise in one of two ways:
The authentication mechanisms are weak because they fail to adequately protect against
brute-forceattacks.Logic flaws or poor coding allow the authentication mechanism to be bypassed entirely by an attacker -> Broken Authentication
Since authentication is so critical to security, logic flaws in it will expose the website to elevated security issues.
What is the impact?
Authentication vulnerabilities can be severe, because:
Once the attacker has bypassed authentication or brute-forced his way into other user's account, he has access to all the data and functionality that the compromised account has.
If the attacker compromises high privileged accounts, such as system administrator, they can take full control over the application and may gain access to the internal infrastructure.
The attacker can access sensitive business information even with a low-privileged account
The attacker may access other pages that increase the attack surface.
Vulnerabilities in different authentication mechanisms
Authentication systems consist of several distinct mechanisms where vulnerabilities occur. Some vulnerabilities are broadly applicable across all of these contexts, whereas others are more specific to the functionality provided.
Areas with the most common vulnerabilities:
pageVulnerabilities in password-based loginpageVulnerabilities in multi-factor authenticationpageVulnerabilities in other authentication mechanismsLast updated