Authentication Testing Checklist
Table of Contents
- Registration Flaws
- Login Bypasses
- Session Management Issues
- Multi-Factor Authentication (MFA) Bypasses
- Credential Security Issues
- OAuth & SSO Vulnerabilities
- Logout & Session Termination Flaws
- Rate Limiting & Brute Force Protections
- Authentication API Security
- Testing Methodology
1. Registration Flaws
1.1 Duplicate Registration Allowed
How it works: System allows multiple accounts with same email/username, or fails to verify uniqueness properly.
Steps to Find:
- Register account with email+1@test.com
- Attempt to register again with same email
- Try case variations (Test@test.com vs test@test.com)
- Test with Unicode homoglyphs
- Check if email normalization is applied
- Verify if secondary identifiers (username) can collide
Impact: Account confusion, data pollution, impersonation
1.2 Weak Registration Validation
How it works: Registration accepts invalid email formats, disposable emails, or nonexistent domains.
Steps to Find:
- Register with email: “notanemail”
- Test with: “test@test” (no TLD)
- Use disposable email domains (temp-mail.org)
- Test with + aliasing if restricted
- Check email verification bypass
- Verify domain existence validation
Impact: Spam accounts, anonymous abuse, verification bypass
1.3 Registration Parameter Manipulation
How it works: User-controllable parameters during registration allow privilege escalation.
Steps to Find:
- Intercept registration request
- Add parameters: “role”: “admin”, “isAdmin”: true
- Modify “email_verified”: true
- Test with “account_type”: “premium”
- Add unexpected fields (mass assignment)
- Check if user ID can be pre-selected
Impact: Privilege escalation, automatic verification, account takeover
1.4 Username/Email Enumeration During Registration
How it works: System reveals whether a username/email is already taken through error messages or timing.
Steps to Find:
- Register with existing email - check error message
- Register with new email - compare response
- Measure response time differences
- Test JSON responses for existence hints
- Check if rate limiting applies to registration attempts
- Verify if enumeration possible via autocomplete/suggestions
Impact: User enumeration, reconnaissance, targeted attacks
1.5 Invite/Referral Code Bypass
How it works: Registration requires invite codes that can be guessed, reused, or bypassed.
Steps to Find:
- Identify invite code parameter
- Test with empty code
- Try common codes (admin, test, invite123)
- Check if codes are sequential or predictable
- Test code reuse after registration
- Verify if codes have usage limits
Impact: Unauthorized access, bypass of registration restrictions
1.6 Account Verification Skipping
How it works: Email/SMS verification can be bypassed by modifying requests or accessing features pre-verification.
Steps to Find:
- Register without verifying email
- Attempt to access protected features
- Intercept verification confirmation
- Modify response to indicate success
- Check if verification status is client-side only
- Test if old verification links remain valid
Impact: Unverified accounts with full access, spam, fraud
2. Login Bypasses
2.1 SQL Injection in Login
How it works: Login form vulnerable to SQL injection, allowing authentication bypass.
Steps to Find:
- Test username:
'admin' --
- Try:
' OR 1=1 --
- Use:
'admin' /*
- Test with:
' UNION SELECT 'admin', 'password' --
- Check for blind SQL injection via timing
- Test parameterized inputs in all login fields
Impact: Complete authentication bypass, data breach
2.2 No SQL Injection (MongoDB)
How it works: MongoDB-based login accepts operator injections.
Steps to Find:
- Username:
{'$ne': null}
- Password:
{'$ne': null}
- Test:
{'$gt': ""}
- Try:
'$ne'=1
- Use:
username[$regex]=.*
- Check for operator injection in JSON bodies
Impact: Authentication bypass without credentials
2.3 LDAP Injection
How it works: Login form vulnerable to LDAP injection attacks.
Steps to Find:
- Username:
*
- Password:
*
- Test:
admin*
- Try:
)(uid=*
- Use:
*)(uid=*
- Check for verbose LDAP errors
Impact: Authentication bypass, directory information disclosure
2.4 Login Response Manipulation
Steps to Find:
- Attempt login with invalid credentials
- Intercept response
- Modify “success”: false to true
- Change HTTP status code from 401 to 200
- Modify redirect location to authenticated area
- Check if client blindly trusts response
Impact: Authentication bypass via response tampering
2.5 Remember Me Functionality Flaws
How it works: “Remember me” tokens are weak, predictable, or stored insecurely.
Steps to Find:
- Check where remember-me token is stored (cookie, localStorage)
- Analyze token structure (base64? encrypted? plain?)
- Test token reuse across sessions
- Check if token tied to IP/user-agent
- Verify token expiration enforcement
- Test token theft via XSS
Impact: Persistent session hijacking, account takeover
2.6 Login with Weak Default Credentials
How it works: Default credentials exist and are not changed on first login.
Steps to Find:
- Search for default credentials in documentation
- Test common combos: admin/admin, admin/password
- Try vendor-specific defaults
- Check if password change is enforced on first login
- Test if default accounts are documented publicly
- Verify if test accounts remain in production
Impact: Easy unauthorized access, privilege escalation
2.7 Login Flooding / Rate Limit Bypass
How it works: Login attempts are not properly rate-limited, allowing brute force.
Steps to Find:
- Send multiple rapid login attempts
- Check for rate limiting after N attempts
- Test with different IPs (X-Forwarded-For spoofing)
- Rotate user-agents
- Try different endpoints (API vs web)
- Check if rate limiting resets on successful login
Impact: Credential brute-forcing, account takeover
3. Session Management Issues
3.1 Session Fixation
How it works: Attacker can set victim’s session ID to a known value.
Steps to Find:
- Obtain session cookie from login page (pre-auth)
- Set this cookie in attacker’s browser
- Send login link with session ID parameter
- Check if session ID changes after login
- Test if session is accepted in URL
- Verify session regeneration on privilege change
Impact: Session hijacking, account takeover
3.2 Predictable Session Tokens
How it works: Session tokens generated using weak algorithms (timestamp, sequential, user data).
Steps to Find:
- Collect 100+ session tokens
- Analyze pattern (length, charset)
- Check for encoded user data (base64, hash)
- Test sequential generation
- Use Burp Sequencer for analysis
- Check if token tied to time with low entropy
Impact: Session hijacking via token prediction
3.3 Session Token Exposure
How it works: Session tokens exposed in URLs, logs, referrers, or via side-channels.
Steps to Find:
- Check if session ID appears in URL parameters
- Monitor network traffic for token in referrer
- Test if token visible in browser history
- Check WebSocket connections for token exposure
- Verify if token logged on server
- Test if token exposed in error messages
Impact: Session theft, account takeover
3.4 Insecure Session Storage
How it works: Session tokens stored insecurely on client side.
Steps to Find:
- Check cookie flags (HttpOnly, Secure, SameSite)
- Verify if token stored in localStorage/sessionStorage
- Test if accessible via JavaScript
- Check cookie domain/path scope (too broad)
- Verify session timeout implementation
- Test session persistence after browser close
Impact: Session theft via XSS, physical access
3.5 Concurrent Session Handling Flaws
How it works: System allows unlimited concurrent sessions or fails to notify users.
Steps to Find:
- Login from multiple browsers/devices
- Check if user is notified
- Test session limits (should be configurable)
- Verify if old sessions are invalidated on password change
- Test if sessions can be viewed/terminated by user
- Check for session conflict during simultaneous actions
Impact: Account sharing, undetected compromise
3.6 Session Hijacking via Cross-Site Scripting (XSS)
How it works: XSS vulnerabilities allow theft of session tokens.
Steps to Find:
- Identify XSS vectors in authenticated areas
- Test cookie accessibility via JavaScript
- Check if HttpOnly flag is missing
- Verify if token in localStorage can be stolen
- Test session fixation combined with XSS
- Check if CSRF tokens can be stolen similarly
Impact: Complete account takeover
4. Multi-Factor Authentication (MFA) Bypasses
4.1 MFA Not Enforced for All Users
How it works: MFA is optional or can be disabled without re-authentication.
Steps to Find:
- Enable MFA on account
- Attempt to disable MFA
- Check if password re-entry required
- Test if admin can disable user MFA
- Verify if MFA enforced for privileged roles
- Check if MFA can be removed via API
Impact: MFA bypass, reduced security
4.2 MFA Code Brute Force
How it works: 4-6 digit MFA codes have small search space and no rate limiting.
Steps to Find:
- Trigger MFA challenge
- Attempt brute force of 000000-999999
- Check for rate limiting
- Test if codes expire quickly
- Verify if multiple attempts lock account
- Check if codes are time-based (TOTP) with window
Impact: MFA bypass, account takeover
4.3 MFA Code Reuse
How it works: MFA codes remain valid after use or for extended periods.
Steps to Find:
- Request MFA code
- Use it successfully
- Attempt to reuse same code
- Test with code after expiration time
- Check if codes tied to specific sessions
- Verify if backup codes can be reused
Impact: MFA bypass, session hijacking
4.4 MFA Bypass via “Remember This Device”
How it works: Device remember functionality bypasses MFA indefinitely.
Steps to Find:
- Enable “Remember this device”
- Analyze remember token
- Test if token can be stolen/reused
- Check if token expires
- Verify if token tied to browser fingerprint
- Test if MFA can be bypassed with stolen token
Impact: Persistent MFA bypass, account compromise
4.5 MFA Bypass via OAuth/SSO
How it works: SSO login bypasses MFA requirements.
Steps to Find:
- Enable MFA on local account
- Link Google/Facebook account
- Login via SSO
- Check if MFA is required
- Test unlinking/re-linking scenarios
- Verify MFA status after SSO login
Impact: Complete MFA bypass
4.6 2FA Disable via Password Reset
How it works: Password reset flow disables or bypasses MFA.
Steps to Find:
- Enable MFA on account
- Initiate password reset
- Check if MFA required during reset
- Verify MFA status after password change
- Test if reset generates new MFA secret
- Check if backup codes still work after reset
Impact: MFA bypass, account takeover
4.7 MFA Code Leakage
How it works: MFA codes exposed in URLs, responses, or logs.
Steps to Find:
- Check if MFA code appears in URL
- Inspect JSON responses for code
- Test if code visible in SMS/email content
- Verify if code sent with previous messages
- Check if code stored in browser storage
- Test for timing attacks on code validation
Impact: MFA code theft, account compromise
5. Credential Security Issues
5.1 Credentials in URL/Logs
How it works: Passwords transmitted in URL parameters or GET requests.
Steps to Find:
- Monitor network traffic during login
- Check if password appears in URL
- Verify if login uses POST or GET
- Test if password in referrer header
- Check server logs for credential exposure
- Verify browser autofill security
Impact: Credential theft via logs, history, referrers
5.2 Weak Password Policy
How it works: Password policy allows weak, common, or short passwords.
Steps to Find:
- Attempt to set “password123”
- Try single character password
- Test with “admin” or “welcome”
- Check for dictionary word blocking
- Verify minimum length enforcement
- Test Unicode normalization issues
Impact: Easy brute-force, credential stuffing
5.3 Credential Stuffing Vulnerability
How it works: No protection against automated credential stuffing attacks.
Steps to Find:
- Test with breached credential lists
- Check for rate limiting
- Verify CAPTCHA implementation
- Test IP-based blocking
- Check for credential stuffing detection
- Verify if breached password detection exists
Impact: Account takeover via leaked credentials
5.4 Password Equivalent Fields
How it works: Security questions or PINs act as password equivalents with weaker security.
Steps to Find:
- Identify security question fields
- Check if they can reset password
- Test if answers are case-sensitive
- Verify if answers have complexity requirements
- Check if answers stored in plaintext
- Test if answers can be brute-forced
Impact: Account takeover via weak secondary credentials
5.5 Password Change Without Current Password
How it works: Password change functionality doesn’t verify current password.
Steps to Find:
- Login to account
- Navigate to password change
- Attempt change without current password
- Test with session token only
- Check if CSRF protection exists
- Verify if notification sent on change
Impact: Account takeover via CSRF, session hijacking
5.6 Password Hashing Weaknesses
How it works: Passwords stored with weak hashing algorithms.
Steps to Find:
- Attempt to extract password hashes (if possible)
- Identify hash type (MD5, SHA1, bcrypt)
- Check if salts are used
- Verify if same password = same hash
- Test timing attacks on comparison
- Check for default/backdoor passwords in code
Impact: Credential theft, offline brute-force
6. OAuth & SSO Vulnerabilities
6.1 OAuth Redirect URI Manipulation
How it works: Open redirect in OAuth flow allows authorization code theft.
Steps to Find:
- Identify redirect_uri parameter
- Attempt to change to attacker.com
- Test with open redirect on whitelisted domain
- Try path traversal in redirect
- Use localhost for testing
- Check if state parameter validated
Impact: Authorization code theft, account takeover
6.2 OAuth CSRF
How it works: No state parameter or weak validation allows CSRF in OAuth flow.
Steps to Find:
- Initiate OAuth login
- Check if state parameter is used
- Test without state parameter
- Attempt to reuse auth codes
- Check if state is predictable
- Verify state tied to session
Impact: Account linking to attacker’s social account
6.3 SSO Signature Verification Bypass
How it works: SSO assertions (SAML, JWT) not properly verified.
Steps to Find:
- Capture SSO assertion
- Modify email/username
- Check if signature verified
- Test with algorithm none attack
- Remove signature entirely
- Try with expired/revoked assertions
Impact: Authentication as any user
6.4 Account Takeover via SSO
How it works: Email mismatch between SSO and local account allows hijacking.
Steps to Find:
- Register account with email@test.com
- Login with SSO using attacker@test.com
- Check if accounts merge automatically
- Test if email can be changed during SSO
- Verify email verification before linking
- Check if SSO email can be spoofed
Impact: Account takeover via SSO misconfiguration
6.5 OAuth Scope Escalation
How it works: Requested OAuth scopes can be escalated to access more data.
Steps to Find:
- Intercept OAuth authorization request
- Modify scope parameter (add admin scopes)
- Check if excessive scopes granted
- Test with previously authorized apps
- Verify scope validation
- Check if scopes can be downgraded
Impact: Unauthorized data access, privilege escalation
7. Logout & Session Termination Flaws
7.1 Incomplete Logout
How it works: Logout doesn’t fully terminate all sessions or tokens.
Steps to Find:
- Login and obtain session
- Perform logout
- Attempt to reuse old session cookie
- Check if API tokens still work
- Test with back button after logout
- Verify if cached pages accessible
Impact: Session persistence, unauthorized access
7.2 Session Not Terminated on Password Change
How it works: Old sessions remain active after password change.
Steps to Find:
- Login on Browser A and Browser B
- Change password on Browser A
- Continue using Browser B
- Test privileged actions
- Check if session invalidated globally
- Verify mobile app sessions
Impact: Session hijacking persistence
7.3 Session Timeout Not Enforced
How it works: Session never expires or timeout is too long.
Steps to Find:
- Login to application
- Leave idle for extended period (24h, 7d)
- Return and attempt action
- Check if session still valid
- Verify absolute vs idle timeout
- Test sensitive actions after idle
Impact: Unauthorized access via abandoned sessions
7.4 Logout CSRF
How it works: Logout functionality lacks CSRF protection.
Steps to Find:
- Identify logout endpoint
- Check for CSRF tokens
- Create malicious logout page
- Test with victim logged in
- Verify if confirmation required
- Check GET vs POST logout
Impact: Denial of service, user annoyance
8. Rate Limiting & Brute Force Protections
8.1 No Rate Limiting on Auth Endpoints
How it works: Authentication endpoints allow unlimited requests.
Steps to Find:
- Send 100 rapid login attempts
- Test registration endpoint
- Check password reset
- Verify MFA validation
- Test API authentication endpoints
- Check if rate limiting IP-based or account-based
Impact: Brute-force attacks, credential stuffing
How it works: Rate limiting can be bypassed by manipulating headers.
Steps to Find:
- Test with X-Forwarded-For spoofing
- Rotate User-Agent
- Try different Accept-Language
- Use proxy rotation
- Test with null origin
- Check if rate limiting resets on certain actions
Impact: Continued brute-force despite protections
8.3 Account Lockout Policy Flaws
How it works: Account lockout creates DoS or can be bypassed.
Steps to Find:
- Trigger lockout with failed attempts
- Check if legitimate user notified
- Test if lockout persists indefinitely
- Verify lockout bypass via password reset
- Check if lockout applies to all endpoints
- Test if lockout creates enumeration vector
Impact: Denial of service, brute-force continuation
8.4 CAPTCHA Bypass
How it works: CAPTCHA can be bypassed, removed, or solved automatically.
Steps to Find:
- Remove CAPTCHA parameter from request
- Test with empty CAPTCHA value
- Check if CAPTCHA reused
- Test OCR bypass on simple CAPTCHAs
- Verify CAPTCHA tied to session
- Check if CAPTCHA appears after N attempts only
Impact: Automated attacks, brute-force
9. Authentication API Security
9.1 API Authentication Bypass
How it works: Mobile/API endpoints have weaker authentication than web.
Steps to Find:
- Map all API endpoints
- Test without authentication headers
- Try with expired/invalid tokens
- Check if API accepts alternative auth methods
- Test versioned APIs (v1 vs v2)
- Verify if API checks authorization
Impact: Unauthorized data access
9.2 JWT Vulnerabilities
How it works: JWT tokens misconfigured or weakly implemented.
Steps to Find:
- Decode JWT, analyze structure
- Check for “alg”: “none” attack
- Test RS256 to HS256 downgrade
- Verify signature validation
- Check for sensitive data in payload
- Test token expiration enforcement
Impact: Authentication bypass, privilege escalation
9.3 Insecure Direct Object References (IDOR) in Auth
How it works: User IDs in requests allow accessing other accounts.
Steps to Find:
- Identify endpoints with user_id parameter
- Change to other user’s ID
- Test profile update endpoints
- Check password change with user_id
- Verify email update endpoints
- Test if authorization checks performed
Impact: Account takeover, data exposure
How it works: API keys, tokens exposed in client-side code or requests.
Steps to Find:
- Check JavaScript files for hardcoded keys
- Monitor network for tokens in URLs
- Test if tokens in WebSocket connections
- Check browser storage for API keys
- Verify if tokens logged in console
- Test if tokens in source maps
Impact: Credential theft, API abuse
10. Testing Methodology
Phase 1: Reconnaissance
- Map Authentication Surface:
- Registration, login, logout
- Password reset/recovery
- Profile/account settings
- MFA setup/management
- OAuth/SSO connections
- API endpoints (mobile, web)
- Document Parameters:
- Usernames, emails, passwords
- Tokens (session, reset, MFA)
- User IDs and roles
- Redirect URLs
- State/nonce values
- Identify Technologies:
- Authentication framework
- Session management method
- Password hashing algorithm
- MFA implementation (TOTP, SMS)
- OAuth provider versions
Phase 2: Functional Testing
- Happy Path Testing:
- Complete registration flow
- Login with valid credentials
- Logout functionality
- Password change
- Account recovery
- MFA enrollment/usage
- Edge Cases:
- Invalid formats (email, password)
- Boundary values (min/max length)
- Special characters, Unicode
- Concurrent operations
- Network interruptions
- Browser back/forward buttons
- State Testing:
- Session persistence
- Multi-tab/browser behavior
- Concurrent logins
- Session after password change
- Remember me functionality
- Idle timeout
Phase 3: Attack Patterns
- Input Validation:
- Injection attacks (SQL, NoSQL, LDAP)
- Parameter manipulation
- Mass assignment
- Unicode normalization
- Null byte injection
- Format string bugs
- Authentication Bypass:
- Response manipulation
- Cookie tampering
- JWT attacks
- OAuth redirects
- Direct endpoint access
- HTTP method tampering
- Privilege Escalation:
- Horizontal (other users)
- Vertical (admin roles)
- Parameter tampering
- Role manipulation
- Insecure direct object references
- Session Analysis:
- Token predictability
- Session fixation
- Cookie security flags
- Session timeout
- Concurrent session handling
- Rate Limiting Tests:
- Brute-force attempts
- Credential stuffing
- Header manipulation
- Distributed attacks
- CAPTCHA bypass