Activity
earned:
39c3 - Chaos Communication Congress Hamburg, Germany - Are you there?
achieved:
This badge is awarded to members who update their profile with a new photo.
achieved:
This badge is awarded to members who visit the Ministry of Testing site 99 times
achieved:
This badge is awarded to members who update their social links on their profile.
achieved:
This badge is awarded to members who contribute a new term or an alternative definition to the software testing glossary.
earned:
Broken Authentication
contributed:
![<div>
<strong>Broken Authentication</strong> means that a web application’s login system or session management is flawed, letting attackers bypass authentication and gain unauthorized access to sensitive accounts—sometimes even administrative ones. Attackers exploit these issues through methods like stolen or weak credentials, brute-force attacks, or hijacking session identifiers. [1][2] <br><br><strong>Problem Areas </strong>
</div><ul>
<li>
<strong>Credential Management: </strong>Weak or default passwords, poor password storage (no hashing/salting), or flaws in password recovery make it easier for attackers to steal or guess passwords. </li>
<li>
<strong>Session Management: </strong>Vulnerabilities in how sessions are created, tracked, or terminated can lead to session hijacking—where attackers impersonate users by stealing session IDs, often through poorly protected browser cookies or unexpired sessions. [3] </li>
</ul><div>
<br><strong>Tips for Testers </strong>
</div><ul>
<li>
<strong>Test for Common Weaknesses </strong><ul>
<li>Try default and weak passwords (“password”, “admin”, “123456”, etc.) and check the application’s password policies. </li>
<li>Attempt brute-force and credential stuffing attacks (within allowed scope) to verify protections. </li>
</ul>
</li>
<li>
<strong>Check Session Management </strong><ul>
<li>Confirm that session tokens are not leaked in URLs and are changed after login. </li>
<li>Validate session termination: users should be logged out everywhere after logging out or timing out. </li>
</ul>
</li>
<li>
<strong>Explore Forgot-Password and Recovery Flows </strong><ul>
<li>Test for predictable, non-expiring, or re-usable reset tokens. </li>
<li>Check for error messages or flow differences that might leak whether an account exists. </li>
</ul>
</li>
</ul><div>
<br><strong>What New Security Testers Should Know <br></strong>Broken authentication is one of the most impactful vulnerabilities, often leading to data breaches or account takeovers—even on major platforms. <br><br>Sources (Thanks to Perplexety AI for supporting the search [4]): </div><ol>
<li>Port Swigger (Home of BurpSuite, well know security tool) </li>
<li>Bright Security </li>
<li>OWASP API2:2023 Broken Authentication </li>
<li>Prompt</li>
</ol> image](https://d8iqbmvu05s9c.cloudfront.net/4zqcpsvnk99spq3ohnef9jng96cy)
Definitions of Broken Authentication
liked:
Boost Agile process reliability, project engagement and teamwork with in-sprint test automation
registered for:
Harvest your testing skills at TestBash Autumn, a Ministry of Testing software testing conference happening on the 22nd and 23rd of March 2023
achieved:
This badge is awarded to members who have subscribed as Professional Members.
registered for:
Join Janet Gregory for a deep dive into Holistic Testing, where every phase is a pivotal piece of the quality puzzle.
achieved:
This badge is awarded to members who have read 10 articles while logged in.
achieved:
This badge is awarded to members who have updated their profile.
achieved:
This badge is awarded to members who have signed up as a Club member.
Discover how integrating SAST with comprehensive test management enables your team to ship safer software sooner.
We've made things easier to access all things.
With servers in >250 cities around the world, check your site for localization problenms, broken GDPR banners, etc.
Create, run, and maintain web and mobile tests with no-code, AI-driven automation in the cloud
