Hyrje
Broken authentication refers to flaws in how an application verifies user identity — anything from weak passwords to session mishandling.
Teoria
Common failures include allowing weak passwords (12345, password), no rate limiting on the login endpoint (enabling credential stuffing), predictable session tokens, sessions that never expire, missing CSRF protection, and MFA that can be bypassed via a forgotten-password flow or legacy endpoint. Credential stuffing alone — reusing leaked password lists against other sites — is responsible for a large share of account takeovers every year.
Best-practice authentication in 2024 looks like: long passwords with no arbitrary complexity rules (NIST 800-63B), mandatory checks against the Have I Been Pwned breach corpus, rate limiting and account lockout on repeated failures, session tokens stored in HttpOnly Secure SameSite cookies, and either TOTP or WebAuthn as a second factor. WebAuthn (passkeys) is especially strong because the private key never leaves the user's device and is bound to the origin, defeating phishing.
Implementers should almost never write authentication code from scratch. Use battle-tested libraries like Spring Security, Django auth, Laravel Breeze or Auth0/Keycloak as identity providers. Every custom authentication system is a liability until proven otherwise.
Mjetet
Mjete testimi:
- Burp Intruder — për testim fjalëkalimesh dhe enumeration.
- Hydra, Medusa — brute-forcers CLI.
- JWT.io, jwt_tool — analizë JWT.
Praktika
Gabim i zakonshëm — JWT pa verifikim:
// Shembull i gabuar
$payload = json_decode(base64_decode(explode('.', $jwt)[1]), true);
$userId = $payload['sub'];I drejtë — me bibliotekë të besueshme:
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
$decoded = JWT::decode($jwt, new Key($SECRET, 'HS256'));
$userId = $decoded->sub;Politika e fjalëkalimeve me bcrypt:
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
if (password_verify($input, $hash)) { /* ok */ } Ushtrime
- Identifiko një aplikacion që nuk invalidon session-in pas logout — raporto si finding.
- Konfiguro rate limiting për login (p.sh. me
fail2banose middleware). - Zëvendëso MD5/SHA-1 për passwords me bcrypt ose Argon2.
Burime
- OWASP A07:2021 — Identification and Authentication Failures.
- NIST SP 800-63B — Digital Identity Guidelines.
- PortSwigger — Authentication Labs.
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re