关于
识别和利用 Web 应用中的认证和会话管理漏洞。认证缺陷持续位列 OWASP Top 10,可导致账户接管、身份盗窃和未授权访问敏感系统。
name: broken-authentication description: "识别和利用Web应用程序中的认证和会话管理漏洞。认证缺陷持续位列OWASP Top 10,可导致账户接管、身份盗窃和对敏感系统的未授权访问。" risk: unknown source: community author: zebbern date_added: "2026-02-27"
认证缺陷测试
目的
识别和利用Web应用程序中的认证和会话管理漏洞。认证缺陷持续位列OWASP Top 10,可导致账户接管、身份盗窃和对敏感系统的未授权访问。此技能涵盖密码策略、会话处理、多因素认证和凭据管理的测试方法。
前提条件
所需知识
- HTTP协议和会话机制
- 认证类型(SFA、2FA、MFA)
- Cookie和令牌处理
- 常见认证框架
所需工具
- Burp Suite Professional 或 Community
- Hydra 或类似暴力破解工具
- 用于凭据测试的自定义字典
- 浏览器开发者工具
所需访问权限
- 目标应用程序URL
- 测试账户凭据
- 书面测试授权
输出和交付物
- 认证评估报告 - 记录所有已识别的漏洞
- 凭据测试结果 - 暴力破解和字典攻击结果
- 会话安全分析 - 令牌随机性和超时评估
- 修复建议 - 安全加固指导
核心工作流程
阶段1:认证机制分析
了解应用程序的认证架构:
# Identify authentication type
- Password-based (forms, basic auth, digest)
- Token-based (JWT, OAuth, API keys)
- Certificate-based (mutual TLS)
- Multi-factor (SMS, TOTP, hardware tokens)
# Map authentication endpoints
/login, /signin, /authenticate
/register, /signup
/forgot-password, /reset-password
/logout, /signout
/api/auth/*, /oauth/*
捕获并分析认证请求:
POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
username=test&password=test123
阶段2:密码策略测试
评估密码要求和执行情况:
# Test minimum length (a, ab, abcdefgh)
# Test complexity (password, password1, Password1!)
# Test common weak passwords (123456, password, qwerty, admin)
# Test username as password (admin/admin, test/test)
记录策略缺陷:最小长度<8、无复杂度要求、允许常见密码、允许用户名作为密码。
阶段3:凭据枚举
测试用户名枚举漏洞:
# Compare responses for valid vs invalid usernames
# Invalid: "Invalid username" vs Valid: "Invalid password"
# Check timing differences, response codes, registration messages
# Password reset
"Email sent if account exists" (secure)
"No account with that email" (leaks info)
# API responses
{"error": "user_not_found"}
{"error": "invalid_password"}
阶段4:暴力破解测试
测试账户锁定和速率限制:
# Using Hydra for form-based auth
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
target.com http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
# Using Burp Intruder
1. Capture login request
2. Send to Intruder
3. Set payload positions on password field
4. Load wordlist
5. Start attack
6. Analyze response lengths/codes
检查防护措施:
# Account lockout
- After how many attempts?
- Duration of lockout?
- Lockout notification?
# Rate limiting
- Requests per minute limit?
- IP-based or account-based?
- Bypass via headers (X-Forwarded-For)?
# CAPTCHA
- After failed attempts?
- Easily bypassable?
阶段5:凭据填充
使用已知泄露凭据进行测试:
# Credential stuffing differs from brute force
# Uses known email:password pairs from breaches
# Using Burp Intruder with Pitchfork attack
1. Set username and password as positions
2. Load email list as payload 1
3. Load password list as payload 2 (matched pairs)
4. Analyze for successful logins
# Detection evasion
- Slow request rate
- Rotate source IPs
- Randomize user agents
- Add delays between attempts
阶段6:会话管理测试
分析会话令牌安全性:
# Capture session cookie
Cookie: SESSIONID=abc123def456
# Test token characteristics
1. Entropy - Is it random enough?
2. Length - Sufficient length (128+ bits)?
3. Predictability - Sequential patterns?
4. Secure flags - HttpOnly, Secure, SameSite?
会话令牌分析:
#!/usr/bin/env python3
import requests
import hashlib
# Collect multiple session tokens
tokens = []
for i in range(100):
response = requests.get("https://target.com/login")
token = response.cookies.get("SESSIONID")
tokens.append(token)
# Analyz
兼容工具
Claude CodeCursor
标签
安全
