🔒Testing Authentication and Session Management

General Guidelines on Testing Authentication

Stateful vs. Stateless Authentication

Supplementary Authentication

Verifying that Appropriate Authentication is in Place

Testing Best Practices for Passwords

Static Analysis

• zxcvbn - Used to estimate password strength

Have I Been Pwned: PwnedPasswords

• haveibeenpwned.com - Online password dictionary checker

Dynamic Testing

• Burp Suite Intruder - Brute force attacks to passwords

• OWASP ZAP - Can be used to brute force passwords

• fuzzdb - Dictionaries for brute forcing

Testing Stateful Session Management

Session Management Best Practices

• Testing Authentication - from OWASP Web Testing Guide

• Testing Session Management - from OWASP Web Testing Guide

Testing Session Timeout

Static Analysis

Dynamic Analysis

• Burp Session Timeout Test Extension

Testing User Logouts

Static Analysis

Dynamic Analysis

Testing Two-Factor Authentication and Step-up Authenitcation

Dangers of SMS-OTP

Transaction Signing with Push Notifications and PKI

Static Analysis

Dynamic Testing

• Burp - Manipulate server response to bypass 2FA

Testing Stateless (Token-Based) Authentication

Static Analysis

Enforcing the Hash Algorithm

Token Expiration

Dynamic Analysis

• Burp JSON Web Token Attacker

• Burp JSON Web Tokens

Testing OAuth 2.0 Flows

OAuth 2.0 Best Practices

Other OAuth2 Best Practices

Testing Login Activity and Device Blocking

iOS

• Device binding

Android

• Device binding

  • Test binding by backing up an application with adb, and trying to restore the backup with adb

  • Titanium backup