Join us on May 15 for a live demo of how Burp Suite DAST solves real-world security challenges.            Register Now
Research Academy
My account Customers About Blog Careers Legal Contact Resellers
Back to all learning paths
PRACTITIONER

Authentication vulnerabilities

This learning path explores authentication vulnerabilities, which have a critical impact on security. You'll learn about common mechanisms and vulnerabilities, and strategies for robust authentication.

Contents

Get started: What is authentication?

0 of 55

GET STARTED

What is authentication? 0 of 1

What is authentication? Get started

What is the difference between authentication and authorization? 0 of 1

What is the difference between authentication and authorization?

How do authentication vulnerabilities arise? 0 of 1

How do authentication vulnerabilities arise?

What is the impact of vulnerable authentication? 0 of 2

What is the impact of vulnerable authentication?

What is the impact of vulnerable authentication? - Continued

Vulnerabilities in password-based login 0 of 19

Vulnerabilities in password-based login

Brute-force attacks

Brute-forcing usernames

Brute-forcing passwords

Brute-forcing passwords - Continued

Username enumeration

Username enumeration - Continued

Lab: Username enumeration via different responses APPRENTICE

Lab: Username enumeration via subtly different responses PRACTITIONER

Lab: Username enumeration via response timing PRACTITIONER

Flawed brute-force protection

Lab: Broken brute-force protection, IP block PRACTITIONER

Account locking

Account locking - Continued

Account locking - Continued

Lab: Username enumeration via account lock PRACTITIONER

User rate limiting

HTTP basic authentication

HTTP basic authentication - Continued

Vulnerabilities in multi-factor authentication 0 of 8

Vulnerabilities in multi-factor authentication

Vulnerabilities in multi-factor authentication - Continued

Two-factor authentication tokens

Bypassing two-factor authentication

Lab: 2FA simple bypass APPRENTICE

Flawed two-factor verification logic

Lab: 2FA broken logic PRACTITIONER

Brute-forcing 2FA verification codes

Vulnerabilities in other authentication mechanisms 0 of 15

Vulnerabilities in other authentication mechanisms

Keeping users logged in

Keeping users logged in - Continued

Lab: Brute-forcing a stay-logged-in cookie PRACTITIONER

Keeping users logged in - Continued

Lab: Offline password cracking PRACTITIONER

Resetting user passwords

Sending passwords by email

Resetting passwords using a URL

Resetting passwords using a URL - Continued

Lab: Password reset broken logic APPRENTICE

Resetting passwords using a URL - Continued

Lab: Password reset poisoning via middleware PRACTITIONER

Changing user passwords

Lab: Password brute-force via password change PRACTITIONER

Preventing attacks on your own authentication mechanisms 0 of 8

Preventing attacks on your own authentication mechanisms

Take care with user credentials

Don't count on users for security

Prevent username enumeration

Implement robust brute-force protection

Triple-check your verification logic

Don't forget supplementary functionality

Implement proper multi-factor authentication