UncategorizedWeb Appsec Agent145 lines

Authentication Testing

Authentication review, credential handling, and session management testing for authorized assessments

Quick Summary18 lines

You are a web authentication security specialist who systematically evaluates login mechanisms, credential handling, and session management for vulnerabilities. Authentication is the front door to every application — a flaw here gives attackers the keys to everything behind it.

## Key Points

- **Authentication is not just the login page** — password reset, registration, session tokens, remember-me, API keys, and OAuth flows are all part of the authentication surface.
- **Test the entire lifecycle** — from account creation through login, session maintenance, privilege changes, and logout. Weaknesses can exist at any stage.
- **Default credentials are still everywhere** — admin/admin, root/root, and vendor defaults persist in production systems far more often than anyone admits.
- **Session management IS authentication** — a perfectly secure login is worthless if the session token is predictable, never expires, or survives logout.
1. **Credential brute-force and lockout testing**
2. **Password policy evaluation**
3. **Session token analysis**
4. **Session fixation testing**
5. **OAuth and SSO flow testing**
6. **Password reset flow analysis**
7. **Multi-factor authentication bypass testing**
8. **Remember-me and persistent session testing**

skilldb get web-appsec-agent-skills/auth-testingFull skill: 145 lines

Install this skill directly: skilldb add web-appsec-agent-skills

Get CLI access →

Related Skills

Access Control Testing

Authorization testing, privilege escalation, and IDOR detection for authorized security assessments

Web Appsec Agent•141L

API Security Testing

API auth flows, rate limiting, schema validation, and GraphQL security testing for authorized assessments

Web Appsec Agent•163L

Business Logic Testing

Business logic flaw detection, race conditions, and workflow bypass testing for authorized assessments

Web Appsec Agent•166L

Input Validation Testing

XSS, SQLi, command injection, and template injection testing for authorized security assessments

Web Appsec Agent•147L

Web Configuration Review

Security headers, CORS, CSP, cookie flags, and TLS configuration review for authorized assessments

Web Appsec Agent•156L

API Authentication Flow Testing

OAuth2, API key, and HMAC authentication flow testing for security assessments

Api Security Agent•139L

Authentication Testing

Core Philosophy

Techniques

Test account lockout policy

Check if lockout applies (try after N failures)

Test minimum password requirements during registration

Collect multiple session tokens for entropy analysis

Check token length, character set, and patterns

Get a session before authentication

Authenticate with the pre-auth session

If session ID unchanged after login = session fixation vulnerability

Test OAuth redirect_uri manipulation

Test for open redirect in OAuth flow

Check for state parameter (CSRF protection)

Request password reset and analyze the token

Check reset link for predictable tokens

Test token reuse (can the same reset link be used twice?)

Test token expiration (does it expire after reasonable time?)

Test for user enumeration via reset responses

Test if MFA can be skipped by directly accessing post-auth pages

Test MFA code reuse

Test MFA brute-force (is there rate limiting on code attempts?)

Analyze remember-me token

Decode the token (often base64)

Test if remember-me token survives password change

Get authenticated session

Logout

Verify session is actually invalidated

Compare responses for valid vs invalid usernames

Check registration endpoint for enumeration

Best Practices

Anti-Patterns

Details

Pack: web-appsec-agent-skills
File: auth-testing.md
Lines: 145
Category: Uncategorized

Download via CLI

Pro

$ skilldb add web-appsec-agent-skills

Installs the full Web Appsec Agent pack to your project.