Authentication Testing (/test-auth)
Tests authentication mechanisms, session management, JWT implementation, OAuth/SAML flows, and credential handling per OWASP A07:2025 and PortSwigger Academy methodologies. The legacy /test-auth entrypoint is now a thin router. Real dispatch should prefer:
/test-jwt/test-oauth/test-session
/test-auth <target_url> [login_endpoint] [engagement_dir]
Scope Routing
| Scope |
Sections |
Focus |
jwt |
/test-jwt |
JWT weak key brute-force, alg:none, RS256-to-HS256 confusion, JWK/JKU injection, KID path traversal, aud bypass, JWT no-expiration |
oauth |
/test-oauth |
OAuth/OIDC redirect URI manipulation, state null byte, IDN homograph, PKCE bypass, pre-ATO via unverified email, ROPC grant, dirty dancing, device code abuse; SAML response manipulation, signature bypass, provider injection |
session |
/test-session |
Session fixation/invalidation, rate limiting, password policy, user enumeration, dual auth detection, default credentials, password reset attacks, account pre-hijacking, Flask/Redash signing, client-side auth bypass |
Coverage
- Session Security Fundamentals -- Session fixation, logout invalidation, concurrent session limits, session token entropy and predictability analysis.
- Authentication Mechanism Analysis -- Multi-factor detection, credential transport (HTTPS enforcement), account lockout policy, user enumeration via timing/error differences.
- JWT Attacks -- Weak key cracking via hashcat (
jwt.secrets.list), algorithm none, RS256-to-HS256 key confusion, JWK/JKU header injection, KID path traversal to /dev/null, audience claim bypass, missing expiration claim.
- OAuth/OIDC -- Redirect URI manipulation (open redirect, path traversal, fragment), state parameter null byte bypass, IDN homograph domain bypass, PKCE downgrade, pre-account takeover via unverified email linking, Resource Owner Password Credentials grant abuse, dirty dancing (auth code reuse), device code phishing.
- SAML -- Response manipulation, XML signature wrapping, provider injection.
- Password Reset -- Host header poisoning, token predictability analysis, race condition on token generation, array injection for multi-email reset.
- Dual Authentication -- Detection and testing of parallel JWT and session-cookie auth systems.
- Default Credentials -- Testing common default username/password combinations for discovered services.
- Account Pre-Hijacking -- Pre-registration attacks where attacker creates account before victim, then victim's OAuth/email verification links to attacker's session.
- Flask/Redash Session Signing -- Weak signing key brute-force for Flask session cookies and Redash API keys.
- Client-Side Auth Bypass -- SPA authentication response manipulation (changing
{"authenticated": false} to true in local storage/responses).
- Cognito Email Normalization -- AWS Cognito case-sensitivity bypass for account takeover.
- Plaintext Password Detection -- Checking if passwords are returned in API responses or stored without hashing.
Key Sections
| Section |
ID |
Description |
| Auth Endpoint Enumeration |
A-PRE |
Discovers all auth endpoints (JWT, Sanctum, OAuth, web form). Validates tokens against real endpoints. Detects dual-auth systems. |
| Session Security |
A0 |
Session fixation (A0a), logout invalidation (A0b), rate limiting (A0c), user enumeration (A0d). |
| Dual Auth Testing |
SECTION |
Tests apps with both JWT-based and session-cookie-based authentication. |
| Default Credentials |
SECTION |
Tests discovered services for default username/password combinations. |
| Auth Mechanism Analysis |
A1-A4 |
Transport security, credential handling, MFA detection, account policies. |
| Session Management |
B1-B4 |
Token entropy analysis, session fixation, cookie flags, concurrent sessions. |
| JWT Testing |
C1-C6 |
Weak key (hashcat), alg:none, RS256/HS256 confusion, JWK/JKU injection, KID traversal, aud bypass. |
| OAuth Testing |
D1-D18 |
Redirect URI bypass, state null byte, IDN homograph, PKCE downgrade, pre-ATO, ROPC, dirty dancing, device code abuse. |
| SAML Testing |
E1-E3 |
Response manipulation, signature bypass, provider injection. |
| Password Reset |
F1-F7 |
Host header poisoning, token predictability, race condition, array injection. |
| Plaintext Passwords |
G |
Detection of passwords in API responses. |
| Weak Password Policy |
G1 |
Minimum length, complexity, common password acceptance. |
| JWT No Expiration |
G2 |
Separate finding even if alg:none already found. |
| Cognito Normalization |
G3 |
AWS Cognito email case-sensitivity ATO. |
| OAuth Pre-ATO |
G4 |
Unverified email pre-account takeover. |
| Secret Phrase Bypass |
H |
Admin bypass via hidden parameters or magic values. |
| Account Pre-Hijacking |
I1-I4 |
Classic federated merge, unexpired session, trojan identifier, pre-registration. |
| Flask/Redash Signing |
J |
Weak session signing key brute-force. |
| Client-Side Auth Bypass |
J1 |
SPA auth response manipulation. |
Model and Thinking Budget
| Scope |
Model |
Rationale |
jwt |
Opus (high) |
Creative reasoning for algorithm confusion, key confusion attacks |
oauth |
Opus (high) |
Complex multi-step flow analysis, redirect URI bypass chains |
session |
Opus (medium) |
Procedural session analysis with some creative elements (pre-hijacking) |
Kill Switch
| Limit |
Value |
| Timeout |
45 minutes |
| Max requests |
500 (warning at 400) |
| Auth rate limit |
1 req/sec for authentication endpoints |
| Max login attempts |
5 per test (never brute-force) |
AI Decision Points
Four [AI-DECISION] markers:
- Token Type Detection (A-PRE-3) -- Determine which token type (JWT vs Sanctum) each API endpoint actually accepts. Apps may use different token types for different endpoints.
- Session Token Analysis (B) -- Compare session tokens for entropy and predictability. Look for sequential, timestamp-based, or weakly encoded patterns.
- JWT Attack Path Selection (C) -- Analyze JWT structure and algorithm. Determine attack path: none alg, weak key cracking, algorithm confusion, or claim manipulation.
- OAuth Flow Mapping (D) -- Map the OAuth flow completely before testing. Identify which parameters are validated server-side vs client-side.
Knowledge Packs and Cheatsheets
| Resource |
Path |
| Auth bypass knowledge |
helpers/knowledge-auth-bypass.md |
| JWT cheatsheet |
helpers/cheatsheet-jwt.md |
| OAuth cheatsheet |
helpers/cheatsheet-oauth.md |
| Research terms |
helpers/research-terms.md |
| Exemplars |
helpers/exemplars.md |
External payload files: SecLists common passwords (top 10K), default credentials, top usernames, JWT attack payloads, OAuth bypass techniques from PayloadsAllTheThings.
Safety
- Never brute-force production accounts. Use only provided test credentials.
- Max 5 login attempts per test.
- Never test with real user emails for password reset Host header attacks.
- Never lock out accounts.