If Day 1 was about how the web works,
Day 2 is about how identity is established, maintained, and broken.
Most critical web breaches don’t start with RCE or SQLi.
They start with weak authentication logic and poor session management.
This blog builds the mental model every web pentester must have before testing A01: Broken Access Control, A02: Cryptographic Failures, and A07: Identification & Authentication Failures in the OWASP Top 10.
1. What Is Authentication? (Beyond Username & Password)
Authentication is the process of proving identity to an application.
It answers one question only:
“Who are you?”
This is fundamentally different from authorization, which answers:
“What are you allowed to do?”
In web applications, authentication commonly relies on:
Username + password
Email + OTP
API keys
OAuth tokens
SSO assertions
Where Developers Go Wrong
Authentication failures are rarely about weak passwords alone.
They usually involve:
Predictable logic
Poor state handling
Inconsistent validation paths
Examples:
Login endpoint validates credentials, but password reset does not
MFA enforced on UI, not on API
Error messages revealing whether a user exists
From a pentester’s perspective, authentication is not a single feature — it is a workflow.
Key pentesting insight:
You don’t test “login”.
You test every path that leads to an authenticated state.
2. Cookies Explained (The Backbone of Web Sessions)
Cookies are small key-value pairs stored by the browser and sent with every request to a matching domain.
They are commonly used to store:
Session identifiers
Authentication tokens
User preferences
Tracking data
Types of Cookies
Session cookies → Deleted on browser close
Persistent cookies → Stored with expiration
Secure cookies → Sent only over HTTPS
HttpOnly cookies → Not accessible via JavaScript
Why Cookies Matter in WAPT
If an attacker can:
Steal a cookie
Predict a cookie
Modify a cookie
They can become the user without knowing the password.
This leads directly to:
Session hijacking
Privilege escalation
Account takeover
Red flag for testers:
Any application that stores sensitive data directly inside cookies (user IDs, roles, permissions) without proper protection.
3. Session Management
A session represents an authenticated conversation between client and server.
The typical lifecycle:
User authenticates
Server generates session ID
Session ID stored in cookie
Cookie sent with every request
Server maps session ID → user identity
Common Session Weaknesses
Predictable session IDs
Session not invalidated on logout
Same session reused after privilege change
Session survives password reset
Classic Attacks
Session fixation → Attacker sets session ID before login
Session hijacking → Attacker steals active session
Session replay → Old session still valid
Pentester rule:
Always test session behavior during:
Login
Logout
Password reset
Role change
Timeout
If sessions aren’t rotated or invalidated properly, the application is already compromised.
4. Tokens (JWT, API Tokens, Bearer Auth)
Modern applications increasingly use token-based authentication, especially for APIs.
Common Token Types
JWT (JSON Web Tokens)
OAuth access tokens
API keys
JWTs typically contain:
Header (algorithm)
Payload (claims)
Signature
Why Tokens Are Dangerous
Developers often assume:
“It’s signed, so it’s secure.”
Pentesters know better.
Common token issues:
Weak signing algorithms
No expiration validation
Excessive data in payload
Trusting client-side claims
If a backend trusts token claims like role=admin without verifying authorization server-side, privilege escalation becomes trivial.
Pentester mindset:
Tokens are assertions, not truth.
Every claim must be verified.
5. Authentication Logic Flaws
Logic flaws occur when:
Steps can be skipped
Order is not enforced
State transitions are assumed
Examples:
Accessing
/dashboarddirectly after signupReusing reset tokens multiple times
Changing user ID parameter post-login
These issues don’t trigger alerts.
They silently hand over access.
Reality:
Most high-impact authentication bugs are invisible to scanners.
