Authentication is the process of verifying the identity of a user. Web applications are constantly exposed to malicious users; therefore, developers and security engineers must adopt robust authentication mechanisms. Authentication can be implemented using three main factors: something you know (such as a password), something you have (such as a mobile device, security token, or USB key), and something you are (biometrics). This article discusses common authentication bypass techniques and logical flaws in authentication mechanisms
Authentication and authorization are often confused, so it is important to understand their differences. Authentication is used to verify the identity of a user, while authorization determines what actions the user is allowed to perform.
Most authentication vulnerabilities occur in two main ways: weak authentication mechanisms that fail to adequately defend against brute-force attacks, and logic flaws or poorly implemented code that can be exploited by attackers (commonly referred to as Broken Authentication).
Password Based Vulnerabilities
Most websites use password-based login processes to verify whether a user exists. If this process is poorly designed, attackers can bypass the authentication mechanism by exploiting logic flaws or poorly implemented code
Brute-force attacks
These atttacks are automated using wordlist of usernames and passwords. Automating the login process using dedicated tools allows attackers to perform a large number of login attempts at high speed. Brute-force attacks do not always rely on wordlists; attackers can also leverage stolen credentials or publicly available information to fine-tune their login attempts.
Usernames are often easy to guess if they follow a recognizable pattern, such as an email address. If an attacker has captured an email address (e.g., john.doe@company.com), this knowledge can help them target login attempts. It is also important to check whether publicly available information on a website discloses usernames or email addresses, as these can be observed even without logging in with valid credentials.
Additional information can be disclosed when attackers observe changes in a website's behavior to determine whether a username exists. This method is called username enumeration and typically occurs on login pages. In a typical scenario, an attacker accesses the login page and submits candidate usernames. If the website responds with a message such as "password is not valid," the attacker can infer that the username exists. The attacker can then prepare a password wordlist to launch a brute-force attack.
Some indicators may leverage attackers to take action againts website. These indicators are regarding website responses and important ones listed below.
- Status Code: During a brute-force attack, the returned HTTP response codes play a critical role in shaping the attack pattern. When an attacker makes a large number of login attempts, most guesses will return the same response status code. If one response differs from the others, it can serve as a clear indicator that the username is valid. The best mitigation is for the website to return the same error code regardless of the outcome.
- Error Messages: Sometimes, error messages differ depending on whether both the username and password are incorrect, or only one of them is incorrect. The best practice is to show the same generic error message regardless of which field is wrong.
- Response Time: If most requests are handled with similar response times, any noticeable deviation may indicate that different logic is being executed on the server. For example, when an attacker submits a valid username on the login page, the server may proceed to verify the password, resulting in a slightly longer response time. This delay can reveal that the username exists. To amplify this difference, an attacker may submit an excessively long password, increasing the processing time and making the response time deviation more obvious.
Flawed Brute Force Protection
A brute-force attack typically results in a large number of failed login attempts before the attacker successfully compromises credentials. There are two common methods to mitigate or prevent brute-force attacks.
- Locking the account that the attacker trying to access if they carried out too many login failed.
- Blocking IP addres that the attacker trying to access if they carried our too many login failed in short time.
Both approaches provide robust protection, but both can potentially be bypassed — especially if the protection is poorly designed or incorrectly implemented by developers or security engineers.
A failed login counter is used to limit the number of consecutive failed login attempts for a user. However, attackers can bypass this protection if valid credentials are available. For example, consider a website that blocks an IP after three failed login attempts. If the attacker knows one valid credential, they can perform multiple failed attempts using other accounts and then input the valid credential before the block is triggered, effectively creating an infinite login attempt loop. Additionally, attackers can use credential stuffing, submitting different stolen credentials in each iteration. In this way, login attempts can continue without triggering IP blocking mechanism.
MFA Vulnerabilities
This section covers some vulnerabilities that can occur in multi-factor authentication (MFA) mechanisms. While there are several MFA methods, biometric approaches are often impractical for major websites, so knowledge-based methods (such as passwords combined with temporary verification codes) are more commonly used.
Sometimes, the implementation of two-factor authentication (2FA) is flawed and can be bypassed entirely. For instance, if a user can access the main page without entering the verification code and is redirected to other pages, this may indicate a partial "logged-in" state, where a session token has already been created in the background. Such scenarios can be exploited by malicious users.
Additionally, flawed 2FA logic can mean that after completing the first login step, the website does not adequately verify that the same user is completing the second step.
For example user logs in with their credentials,
POST /login/first HTTP/1.1 Host: test.com … username=okan&password=okanthen token that is associated their accoun assigns,
HTTP/1.1 200 OK
Set-Cookie: user=okan
GET /login/second HTTP/1.1
Cookie: user=okanwhen submitting verification code, the server-side uses this cookie to determine which user is aiming to access
POST /login/second HTTP/1.1 Host:
test.com Cookie: user=okan
verification-code=123456after that attacker could login with their credentials but change the user cookie to any username when submitting verification code.
POST /login/second HTTP/1.1
Host: test.com
Cookie: user=victim-user
verification-code=123456Recommended design indicated below.
POST /login/second HTTP/1.
mfa-code:23456
cookie: session=abcq345This flaw occurs because cookies are sourced from the client side, allowing an attacker to manipulate the user parameter. To remediate this issue, the 2FA session and the login session must be securely linked, and the server must verify that both MFA and login steps are performed by the same account. If an attacker attempts to exploit a valid user, a brute-force attack targeting the 4–6 digit MFA code may be initiated on the attacker's side.
Methods of Protection
To reduce website vulnerabilites, several protection methods indicated below.
Implementing a strict password policy helps reduce the effectiveness of attacks against the login page. Even if attackers have obtained stolen credentials, short-term password rotation policies can significantly reduce their impact.
Preventing username enumeration significantly reduces an attacker's impact on a website. Regardless of the attempts made, returning generic response codes leaves the attacker with no actionable information. In addition, the website should always return indistinguishable response time.
Implement robust brute-force protection may be another prevention method againts to attackers. The most important method is IP-based rate limiting. This should involve measures to block attacker's manipulating their real IP address. Requiring users to complete a CAPTCHA for each login attempt helps mitigate automated brute-force attacks against the website.
Properly implemented multi-factor authentication provides a strong defense against attackers. However, poorly designed or implemented MFA mechanisms can themselves become an entry point for exploitation.
Thank you for reading. Thank you to Portswigger for their contribution.