Authentication and Session Testing
Test login bruteforcing, session fixation, JWT weaknesses, and insecure remember-me tokens.
Authentication Testing Scope
Authentication testing covers: login bruteforcing, credential stuffing, session management weaknesses, JWT vulnerabilities, insecure remember-me tokens, and password reset flaws. These often yield full account takeover.
Username Enumeration
Different error messages for invalid username vs invalid password leak valid usernames. Look for response time differences, message text, HTTP status codes, and redirect URLs.
# Test login with:
# Valid user, wrong pass → "Incorrect password"
# Invalid user → "User not found"
# This confirms valid usernames!
# Time-based: longer response for valid users
# (bcrypt hash computed only for valid users)All lessons in this course
- Burp Suite Proxy and Intercepting Requests
- Testing for Injection Vulnerabilities
- Authentication and Session Testing
- File Upload and SSRF Vulnerabilities