A broken authentication is a group of issues that affect applications. Some of them are listed here:
- Weak storage for credentials
- Predictable login credentials
- Session IDs exposed in the URL
- Session IDs susceptible to session fixations attacks
- Wrong time out implementation
- The session is not destructed after the logout
- Sensitive information sent by unprotected channels
We are going to explain how to detect these issues using Burp Suite.
The information about authentication has a big problem; it is not just stored on the server side, it also needs to be stored on the client side, maybe not in the form of user and password, but in tokens, sessions IDs, or other things that the application uses to track the user and provide access.
Using Burp Suite, it is possible to analyze where this information is stored. For example, it is very common to store the information in cookies, as shown in the following screenshot:
This is an example of...