Authentication
Authentication is the process of verifying who a user claims to be — typically through passwords, tokens, certificates, biometrics, or hardware authenticators. It is distinct from authorization, which determines what an authenticated user is allowed to do, and the two failure modes are different: a correctly authenticated user can still be a victim of broken access control, and a perfectly authorized request can still come from a forged identity.
Modern authentication relies on layered standards: OAuth 2.0 for delegated access, OpenID Connect for federated identity, SAML for enterprise SSO, JWT for stateless session tokens, and FIDO2/WebAuthn for phishing-resistant passkeys. Each of these has well-documented attack surface — OAuth redirect_uri bypasses, SAML XML signature wrapping, MFA fatigue and AiTM phishing, session fixation, and credential stuffing remain among the most common root causes in real-world breaches.
The shift toward passkeys represents the biggest practical improvement in years: public-key credentials bound to a specific origin eliminate phishing, credential stuffing, and password reuse in one stroke. But the long tail of legacy authentication — password reset flows, OAuth implementations, SAML assertion handling, and MFA bypass paths — continues to produce critical findings across bug bounty programs.
This page collects research, writeups, tools, and standards covering authentication attacks and defenses: OAuth and SAML vulnerabilities, MFA bypass techniques, passkey rollouts, session management, and the OWASP cheat sheets that codify what good authentication looks like.
From OWASP Authentication Cheat Sheet
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-28 NEW 2026 | Exploiting insecure cookie policies beginner 7 min read | Library detailing the exploitation of insecure cookie policies, including Cross-Site Request Forgery (CSRF) due to missing SameSite or Secure flags, XSS cookie stealing when HttpOnly is absent, and cookie theft over insecure HTTP when the Secure flag is missing. The resource explains how these vulnerabilities can lead to session hijacking and account takeover by exploiting misconfigurations in cookie attributes. → intigriti.com |
| 2026-06-23 NEW 2026 | Authentication bypass vulnerabilities in TeamCity: everything you need to know news 3 min read | Writeup detailing CVE-2024-27198 and CVE-2024-27199, critical authentication bypass vulnerabilities in JetBrains TeamCity On-Premises versions prior to 2023.11.4. These flaws allow unauthenticated attackers to gain administrative control by manipulating URLs to access authenticated endpoints, enabling actions like creating new administrator accounts. CVE-2024-27199 also leverages path traversal to modify system settings and leak sensitive information. A security patch plugin is available as a workaround for those unable to immediately update. → wiz.io |
| 2026-06-22 2026 | Exploiting Auth0 Defaults in XSS Attacks - elttam intermediate 8 min read XSS | Writeup detailing how XSS vulnerabilities in applications using Auth0 can be exploited. It highlights that the default configuration of the insecure implicit grant flow in Auth0 applications, when combined with an API that allows all applications within a tenant access, enables attackers to steal access tokens. This allows pivoting to other systems, such as an administrative application, by chaining these misconfigurations. |
| 2026-06-22 2026 | Secure password hashing in Go intermediate 9 min read | Library for secure password hashing in Go, detailing best practices like salting and the importance of robust hashing algorithms such as Argon2id. It covers password storage concepts, explains attack methods like rainbow tables and brute-force, and provides insights into implementing Argon2id with specific parameters for memory, iterations, and parallelism, emphasizing the need to balance security with performance. → snyk.io |
| 2026-06-22 2026 | Top 3 security best practices for handling JWTs intermediate 8 min read JWT | Guide on securing JSON Web Tokens (JWTs) detailing three core best practices. It emphasizes keeping JWTs secret through HTTPS, HttpOnly/Secure cookie flags, and secure browser storage, while highlighting the risks of XSS. The guide stresses the importance of robust JWT validation, including signature verification, and checking claims like expiration, issuer, and audience. It also advocates for setting expiration times on JWTs to limit their usability and prevent unauthorized access. The article mentions tools like Snyk for identifying vulnerabilities and libraries such as Flask-JWT-Extended and PyJWT for implementation. → snyk.io |
| 2026-06-22 2026 | Common SAML vulnerabilities and how to remediate them beginner 4 min read | Reference detailing common SAML vulnerabilities and their remediation, including signature validation to prevent XML tampering and XML signature wrapping, weak encryption of assertions, and message expiration using "NotBefore" and "NotOnOrAfter" to prevent replay attacks. It also addresses open redirect vulnerabilities exploitable via the "RelayState" parameter and suggests ensuring its value is a trusted URL before redirection, referencing `samlify` and `python3-saml` libraries. → snyk.io |
| 2026-06-20 2026 | Emerging phishing campaign targeting AWS accounts news 4 min read | Writeup on an emerging phishing campaign targeting AWS accounts, detailing its use of redirect chains via services like squarespace.com and cli.re to reach credential harvesting pages, often visually cloning the legitimate AWS sign-in page. The campaign leverages Amazon SES and CloudFront, with observed attacker-controlled domains including consoleportal[.]tech. It emphasizes securing AWS environments by disabling root logins via SCP, using FIDO security keys for MFA, enforcing SSO, implementing least privilege, and enabling Amazon CloudTrail for logging and impact assessment. → wiz.io |
| 2026-06-20 2026 | AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console intermediate 8 min read | Writeup on the "Console Conceal" technique, which attackers can use to obfuscate their identity within AWS by manipulating role session names and exploiting a quirk in how AWS Console actions are logged in CloudTrail. This method bypasses standard traceability, making it difficult to attribute actions back to compromised credentials, especially when SourceIdentity is not configured. The analysis details how attackers can assume roles with misleading session names and how security teams can still investigate by correlating actions with the original AssumeRole events. → wiz.io |
| 2026-06-20 2026 | “Bug Bounty Bootcamp #48: OAuth + XSS ” intermediate Bug Bounty XSS | This Bug Bounty Bootcamp #48 focuses on a potent combination for account takeover: OAuth vulnerabilities and Cross-Site Scripting (XSS). The article, "The Ultimate Account Takeover One-Two Punch," explores how these two attack vectors can be exploited in tandem to gain unauthorized access to user accounts. The content is hosted on InfoSec Write-ups and details the methods and techniques used in such exploits. No specific bounty payout amount is mentioned. → infosecwriteups.com |
| 2026-06-19 2026 | “Bug Bounty Bootcamp #46: Not Allowed From Your IP?” advanced | This article from InfoSec Write-ups, "Bug Bounty Bootcamp #46: Not Allowed From Your IP?", details advanced techniques for bypassing authentication barriers in bug bounty hunting. The methods discussed include IP spoofing, brute-force attacks, and mass assignment, all aimed at gaining unauthorized access. The focus is on exploiting authentication vulnerabilities to overcome access restrictions. No specific bug bounty payout amount is mentioned in the provided text. → infosecwriteups.com |
| 2026-06-18 2026 | The many ways to obtain credentials in AWS beginner 5 min read Secrets | Library detailing numerous methods for attackers to obtain AWS credentials, beyond the typical IMDSv2 requests to 169.254.169.254. It covers AWS SDK credential providers, IAM user access keys, environment variables in Lambda, EC2 user-data, credential files, IMDSv1 and IMDSv2, container services like ECS and EKS (including EKS Pod Identities, IRSA), Default Host Management Configuration (DHMC), Systems Manager hybrid activation, AWS IoT's iot:AssumeRoleWithCertificate, IAM Roles Anywhere, Cognito's GetCredentialsForIdentity, and DataSync's certificate-based authentication. → wiz.io |
| 2026-06-18 2026 | Avoiding mistakes with AWS OIDC integration conditions intermediate 6 min read | Library documenting mistakes in AWS OIDC integration conditions, highlighting issues with GitHub Actions, Terraform Cloud, Microsoft Defender, and GitLab. It emphasizes the importance of specific IAM trust policy conditions like "sub" and "sts:RoleSessionName" to prevent unauthorized access, detailing variations across over twenty vendors and built-in AWS identity providers, and advises ensuring both "aud" and "sub" conditions when available. → wiz.io |
| 2026-06-17 2026 | 27 Years in the Dark: OpenBSD Fixes Ancient Remote Kernel Auth Bypass news 3 min read | Library for OpenBSD's sppp(4) subsystem that addresses a 27-year-old remote kernel authentication bypass vulnerability (CVE-2026-55706) in the Password Authentication Protocol (PAP). The bug allowed unauthenticated access by exploiting how length fields were handled in `bcmp` calls, leading to both authentication bypass and kernel heap over-reads. The fix introduces an exact-length pre-check for credentials, mirroring the CHAP handler, ensuring proper validation. |
| 2026-06-17 2026 | Bug Bounty Bootcamp #45: Token? intermediate API Sec | This Bug Bounty Bootcamp #45 focuses on a vulnerability where a password reset mechanism leaks a "magic token" in the API response. The content also mentions an even more problematic endpoint that provides this token directly. The article's title suggests this is a critical finding relevant to bug bounty hunting. → infosecwriteups.com |
| 2026-06-15 2026 | When a Government Pulls an AI Model: What the Fable 5 and Mythos 5 Suspension Means for Security Teams news 10 min read AI | Analysis of the suspension of Anthropic's Fable 5 and Mythos 5 models highlights security lessons regarding AI dependencies and dual-use capabilities. The shutdown, triggered by a reported AI jailbreak involving code analysis and remediation, mirrors familiar challenges in application security where tools like SAST engines and fuzzers are inherently dual-use. The event underscores the importance of defense-in-depth, risk-based prioritization, and coordinated disclosure, practices the security field has developed to manage powerful technologies that could be misused. → snyk.io |
| 2026-06-14 2026 | From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover intermediate 7 min read Secrets | Library detailing a cloud email service takeover campaign that leveraged compromised AWS access keys. Attackers bypassed Amazon SES sandbox restrictions by using a novel, multi-regional `PutAccountDetails` request to gain production mode access, subsequently verifying attacker-owned and weakly protected legitimate domains to launch phishing operations targeting tax forms. The campaign utilized a commercial traffic analysis service for redirection to evade detection and facilitate credential theft, highlighting the risks of SES abuse including reputational damage and potential for broader compromise. → wiz.io |
| 2026-06-13 2026 | Major AI Clients Shipping With Broken OAuth Implementations (JUNE 2026 UPDATE) news 4 min read API Sec | Reference detailing OAuth refresh token implementation issues in major AI clients like Cursor, Claude, and VS Code, as per the MCP authorization specification and SEP-2207. It highlights failures in metadata discovery for Claude Code and incomplete support across clients, noting the workaround solution provided by the `mcp-remote` tool. |
| 2026-06-13 2026 | I Simulated an SSH Brute-Force Attack on My Ubuntu Server — Here’s How Fail2Ban Stopped It intermediate | The author details setting up an attack lab to simulate SSH brute-force attempts against their Ubuntu server. The primary focus is on observing how Fail2Ban functions to detect and automatically block repeated failed login sequences. The article aims to provide a practical understanding of Fail2Ban's effectiveness in protecting against such attacks. No bug bounty payout amount is mentioned. → infosecwriteups.com |
| 2026-06-13 2026 | Beyond the Patch: Understanding the SonicWall SSL-VPN MFA Bypass Exposure news | A SonicWall SSL-VPN vulnerability, CVE-2024–12802, allows attackers to bypass Multi-Factor Authentication (MFA). The flaw lies in how SSL-VPN handles UPN and SAM account formats separately. Attackers can exploit alternative login formats to circumvent MFA, even when it seems active. This issue affects SonicWall Gen6 SSL-VPN devices and has been linked to ransomware attacks. The content does not state a specific bug bounty payout amount. → infosecwriteups.com |
| 2026-06-12 2026 | Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751) - watchTowr Labs news 11 min read RCE | Writeup of CVE-2026-50751, a Check Point Remote Access VPN authentication bypass, details a logic flaw in IKEv1 certificate validation. The vulnerability, present in various Gaia versions, allowed attackers to bypass signature verification by manipulating a `process_machine_certs` parameter and a `peer_flags` bit, preventing the gateway from properly authenticating clients. Exploited in the wild by threat actors including Qilin ransomware affiliates, the issue was patched by Check Point in subsequent hotfixes. → labs.watchtowr.com |
| 2026-06-12 2026 | 3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs intermediate 10 min read JWT | Library for detecting OAuth TTPs in Azure environments. It details device code phishing, where attackers exploit the device code flow to trick victims into authenticating with MFA, granting the attacker a token. It also covers Resource Owner Password Credentials (ROPC) abuse, leveraging legacy flows without MFA or browser consent for credential stuffing and persistence, often targeting applications like Azure AD PowerShell. Finally, it explains how attackers can use specific token-resource combinations, such as Microsoft Authentication Broker and Intune Enrollment, to register a device and bypass Conditional Access policies. KQL queries are provided for log analysis. → wiz.io |
| 2026-06-11 2026 | Authentication issues related to API requests beginner API Sec | This content highlights authentication problems that can occur with API requests. These issues can compromise the security and integrity of data transmitted through APIs. Without proper authentication, unauthorized users could potentially access sensitive information or perform actions they are not permitted to do. The focus is on identifying and addressing these vulnerabilities to ensure secure API communication. No specific bounty payout amount is mentioned. |
| 2026-06-11 2026 | Would You Click ‘Accept’? Automatically detecting malicious Azure OAuth applications using LLMs intermediate 11 min read AI | Library for detecting malicious Azure OAuth applications by analyzing campaigns, identifying homoglyph attacks, and flagging deviations from legitimate integrations like publisher verification status, homepage URLs, and owning tenant domains. This tool helps identify stealthy threats that blend with legitimate business integrations, preventing unauthorized access and privilege escalation. → wiz.io |
| 2026-06-11 2026 | 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums news 2 min read RCE | Tool for discovering critical Authentication Bypass vulnerabilities in phpBB. Aikido Attack identified a flaw affecting versions up to 3.3.16 and 4.0.0-a2, allowing unauthenticated users to gain valid sessions and impersonate any user, including administrators. This vulnerability, reported via HackerOne, led to a swift patch in phpBB version 3.3.17. → aikido.dev |
| 2026-06-11 2026 | You Can't Secure What You Can't See: Making Non-Human Identities Governable beginner 4 min read Secrets | Library for governing non-human identities (NHIs), it provides a centralized, searchable view of NHIs across infrastructure, surfacing origin, path, environment, risk level, and ownership status. This enables continuous governance by allowing teams to review changes, spot drift early, and prioritize remediation. It identifies risky patterns such as public leaks, cross-environment secrets, reused credentials, long-lived secrets, and overprivileged identities, offering context through an exploration map to understand dependencies before taking action like revoking or rotating credentials. → blog.gitguardian.com |
| 2026-06-10 2026 | Volkswagen blocks Home Assistant by requiring client assertion news 1 min read | Library issue detailing how Volkswagen blocked Home Assistant integration by requiring client assertion. The issue stems from Volkswagen's identity provider at `identity.vwgroup.io/oidc/v1/authorize`, which now rejects requests with `response_type=code token id_token`, preventing the library from obtaining necessary access tokens. This blocks login functionality for users. |
| 2026-06-10 2026 | ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations beginner 6 min read AI AuthZ | Library for identifying and mitigating vulnerabilities in AI agents, such as the ServiceNow Virtual Agent exploit. This resource highlights that securing AI requires foundational application security practices, including threat modeling for agent behavior, Dynamic Application Security Testing (DAST) to detect hardcoded secrets and authorization flaws, and AI red teaming to uncover the impact of autonomous agent actions. It emphasizes a layered security approach, auditing agent permissions, enforcing strong API authentication, and implementing continuous testing. → snyk.io |
| 2026-06-10 2026 | SQL Injection in Password Reset: Full Database, One Email intermediate SQLi | A SQL injection vulnerability in a password reset feature granted a researcher full read access to the entire database. By manipulating a "ukey" parameter in the password reset link, the attacker could retrieve all user records, including plaintext password hashes. The vulnerability was reported in early 2025 and remained unpatched. The content does not specify a bug bounty payout amount. → infosecwriteups.com |
| 2026-06-09 2026 | Context.ai OAuth Token Compromise news 4 min read Supply Chain | Analysis of the Context.ai OAuth token compromise details a supply chain attack vector where compromised tokens for a third-party AI tool allowed attackers access to Vercel's Google Workspace. This incident highlights the risks associated with broad OAuth permissions and trusted SaaS integrations, similar to prior attacks like the Salesloft Drift incident and the Midnight Blizzard campaign. The analysis provides guidance on revoking access, rotating credentials, and investigating account activity across Google Workspace, Azure AD, and Okta. → wiz.io |
| 2026-06-08 2026 | Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild news 1 min read RCE | Analysis of CVE-2026-0300, a critical buffer overflow vulnerability in Palo Alto Networks PAN-OS, enabling unauthenticated attackers to achieve remote code execution with root privileges. The issue resides in the User-ID Authentication Portal (ports 6081/6082) and is actively exploited in limited cases, particularly when exposed externally. Exploitation risk is elevated for publicly accessible instances, with security teams advised to patch immediately, restrict access, or disable the portal if not required. → wiz.io |
| 2026-06-08 2026 | Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining news 5 min read RCE | Library detailing two authentication bypass vulnerabilities in Qinglong task scheduler (versions 2.20.1 and earlier), including CVE-2026-3965 and CVE-2026-4047. These flaws enabled unauthenticated remote code execution, exploited for cryptomining campaigns. The analysis highlights common middleware misconfigurations and emphasizes treating self-hosted applications as attack surfaces, recommending audits, monitoring, and timely updates. → snyk.io |
| 2026-06-08 2026 | Initial Access Changed, The Attack Path Did Not: Findings From The Verizon 2026 DBIR news 9 min read Secrets Supply Chain | Analysis of the Verizon 2026 DBIR highlights that while exploited vulnerabilities are the primary initial access vector, credential abuse remains central to breach progression. Attackers leverage leaked passwords, API keys, OAuth tokens, and other secrets found in code repositories, communication platforms, and CI/CD pipelines to expand their access. Third-party trust, exemplified by the Salesloft Drift and Salesforce breach, also presents significant risk through compromised integrations and delegated authorization. Ransomware frequently monetizes this valid access, with stolen credentials appearing in a significant percentage of breaches across various attack patterns. Incident response must prioritize credential exposure analysis, understanding what secrets unlock, their location, validity, ownership, and dependencies. → blog.gitguardian.com |
| 2026-06-08 2026 | Detecting CVE-2026-0265 at Scale: PAN-OS CAS Authentication Bypass news 8 min read JWT | Tool for detecting CVE-2026-0265, a pre-authentication JWT signature bypass in PAN-OS and Panorama. The vulnerability, exploitable when Cloud Authentication Service (CAS) is attached to an authentication profile, affects both GlobalProtect portals and the management interface. This detection script utilizes a single anonymous HTTP request to the `/global-protect/prelogin.esp` endpoint to definitively determine a system's vulnerable or non-vulnerable status, by examining the presence of `<cas-auth>yes</cas-auth>` and extracting the authoritative PAN-OS version from an embedded JWT. → bishopfox.com |
| 2026-04-29 2026 | 7 MCP Authentication Vulnerabilities B2B SaaS Vendors Must Prevent beginner 12 min read | Analysis of 281 MCP implementations by Pynt reveals significant authentication vulnerabilities in AI agent integrations. B2B SaaS vendors must address token leakage via tool results, confused deputy via token passthrough, prompt injection leading to auth bypass, and over-scoped OAuth grants. Prompt injection, exemplified by a Supabase Cursor incident, allows attackers to exploit untrusted external content as executable instructions. Mitigations include sanitizing tool results, independent authentication to downstream services, strict input validation, and enforcing least-privilege OAuth scopes, aligning with MCP spec updates like RFC 8707. → securityboulevard.com |
| 2026-04-22 2026 | OAuth2 Proxy Authentication Bypass via X-Forwarded-Uri (CVE-2026-40575) news 2 min read | Writeup of CVE-2026-40575 detailing a critical authentication bypass in OAuth2 Proxy. This vulnerability arises from trusting client-supplied `X-Forwarded-Uri` headers in reverse proxy configurations using `–skip_auth_routes` or `–skip-auth-regex`, allowing attackers to bypass authentication by spoofing this header. Mitigation involves upgrading to version 7.15.2 or later, configuring `–trusted-proxy-ip`, and stripping or overwriting the `X-Forwarded-Uri` header at the reverse proxy level. → dailycve.com |
| 2026-04-22 2026 | Keycloak SAML Disabled Client SSO Bypass (CVE-2026-3047) news 2 min read | Writeup of CVE-2026-3047, a CVSS 8.8 flaw in Keycloak's SAML broker (`org.keycloak.broker.saml`), enabling SSO bypass. Attackers can exploit this by initiating login through a SAML client that is simultaneously disabled and configured as an IdP-initiated broker landing target. Despite its disabled status, the broker incorrectly completes the authentication flow, granting unauthorized SSO access to enabled clients within the Keycloak realm. Exploitation requires no prior authentication, allowing remote attackers to bypass security restrictions. → thehackerwire.com |
| 2026-04-22 2026 | CVE-2026-2092: Keycloak Auth Bypass Vulnerability news 4 min read | Writeup of CVE-2026-2092, a Keycloak authentication bypass vulnerability, details how attackers can inject encrypted assertions into unsigned SAML responses. This flaw, affecting Keycloak and related Red Hat products, allows unauthorized access by substituting an attacker's valid signed assertion with one for an arbitrary principal, bypassing proper validation and potentially compromising identity federation. Mitigation involves applying patches and configuring SAML identity providers to always sign SAML responses in addition to assertions. → sentinelone.com |
| 2026-04-22 2026 | CVE-2026-1529: Bypassing Keycloak Org Security news 4 min read | Writeup of CVE-2026-1529, a critical bypass in Keycloak's Organizations feature, details how attackers can forge JWT invitation tokens by omitting signature verification. This vulnerability, with a CVSS score of 8.1, allows unauthorized access to restricted organizations by simply modifying the organization ID within a valid invite token. The report covers the exploit technique, the impact on multi-tenancy, and remediation steps including immediate updates to Keycloak versions 26.x or disabling the Organizations feature. |
| 2026-04-22 2026 | OAUTHBEARER Bypass and Sensitive Logging Leaks Hit Apache Kafka news 2 min read | Vulnerability writeup detailing CVE-2026-33557, an OAUTHBEARER bypass in Apache Kafka where the DefaultJwtValidator accepts any JWT by failing to verify signatures, issuers, or audiences, allowing attackers to impersonate users. It also covers CVE-2026-33558, a moderate risk of sensitive data leaks through verbose DEBUG logging in the NetworkClient component. Affected versions include Kafka clients 0.11.0 through 3.9.1, and 4.0.0. |
| 2026-04-22 2026 | CVE-2025-26788: Passkey Authentication Bypass in StrongKey FIDO Server news 3 min read | Writeup of CVE-2025-26788, a passkey authentication bypass in StrongKey FIDO Server versions 4.10.0 through 4.15.0. This vulnerability allows account takeover by exploiting a flaw where the server fails to distinguish between discoverable and non-discoverable credential flows, enabling an attacker to use their own passkey with a victim's username. The writeup includes a proof-of-concept demonstrating the attack and recommends updating to StrongKey FIDO Server version 4.15.1. |
| 2026-04-22 2026 | Analyzing the rise in device code phishing attacks in 2026 news 12 min read | Analysis of device code phishing attacks highlights a significant rise in this account takeover technique since 2026, exploiting the OAuth 2.0 Device Authorization Grant. Attackers leverage this flow, commonly used by CLI tools, to trick users into issuing access tokens to malicious applications, bypassing passwords, MFA, and passkeys. Prominent targets include Microsoft, Google, Salesforce, GitHub, and AWS. The "EvilTokens" PhaaS kit has been identified as a major driver of these campaigns, offering sophisticated anti-bot measures and user-friendly interfaces. Research has traced the evolution of these kits, noting advancements in hosting, code generation, and payload delivery methods. |
| 2026-04-22 2026 | SAML rough quarter: Five critical vulnerabilities in four months news 9 min read | Library of resources detailing critical SAML vulnerabilities, including CVE-2026-3055 in Citrix NetScaler, "The Fragile Lock" research by PortSwigger (CVE-2025-66568, CVE-2025-66567) revealing parser-level bypasses, CVE-2026-25922 in authentik for assertion injection, CVE-2026-34840 in OneUptime for auth bypass due to signature verification decoupling, and CVE-2026-20101 in Cisco Secure Firewall leading to DoS. These highlight systemic issues in SAML XML processing and signature validation. |
| 2026-04-22 2026 | CVE-2024-9956: Critical WebAuthentication Vulnerability in Chrome on Android news 3 min read | Writeup of CVE-2024-9956 details a critical flaw in Google Chrome on Android, allowing local attackers within Bluetooth range to steal PassKeys via crafted HTML pages. This vulnerability, impacting WebAuthn's FIDO:/ URI scheme handling, could lead to account takeovers across various browsers like Safari on iOS and Firefox on Android. The exploit involves tricking users into visiting malicious sites that silently trigger Bluetooth-based authentication requests, enabling attackers to intercept credentials and gain unauthorized access. Mitigation includes updating Chrome, disabling WebAuthn via Bluetooth, and exercising caution with links. |
| 2026-04-22 2026 | CVE-2026-34457 Detail (OAuth2 Proxy) - NVD news 1 min read | Writeup detailing CVE-2026-34457, an authentication bypass vulnerability in OAuth2 Proxy affecting versions prior to 7.15.2. This flaw occurs in specific configurations using auth_request-style integrations with either `--ping-user-agent` or `--gcp-healthchecks` enabled, allowing unauthenticated attackers to access protected resources by mimicking the health check User-Agent. The vulnerability is categorized under CWE-290: Authentication Bypass by Spoofing. |
| 2026-04-19 2026 | Bypassing MFA with OAuth Abuse: Pentesting SSO Flows intermediate 4 min read | Library for exploiting OAuth misconfigurations, focusing on bypassing Multi-Factor Authentication (MFA) in Single Sign-On (SSO) flows. It details techniques for token reuse, session fixation, open redirect vulnerabilities, and improper scope enforcement, guiding users through tools such as OAuth2 Proxy, mitmproxy, Evilginx, and OauthTester to identify and exploit these weaknesses. |
| 2026-04-19 2026 | SSO Protocol Security: Critical Vulnerabilities in SAML, OAuth, OIDC, JWT (2025) advanced 24 min read | Library cataloging SAML, OAuth, OIDC, and JWT vulnerabilities, including XML Signature Wrapping attacks affecting Ruby SAML (CVE-2024-45409) and GitHub Enterprise Server (CVE-2024-6800), XML canonicalization bugs in various libraries (CVE-2017-11427 to CVE-2017-11430, CVE-2018-0489), assertion replay issues (CVE-2018-14637), and vendor-specific flaws like Oracle Access Manager (CVE-2021-35587). The analysis highlights recurring authentication bypasses and token forgery risks, emphasizing the impact and exploitability of these critical SSO protocol weaknesses. |
| 2026-04-19 2026 | The Art of Breaking OAuth: Real-World Exploits and Misuses intermediate | The Art of Breaking OAuth: Real-World Exploits and Misuses → infosecwriteups.com |
| 2026-04-19 2026 | OAuth2-Proxy Authentication Bypass (CVE-2025-54576) news 3 min read | Writeup detailing CVE-2025-54576, an authentication bypass vulnerability in OAuth2-Proxy versions 7.10.0 and below. The flaw lies in the `skip_auth_routes` configuration, where regex patterns intended for paths were incorrectly applied to the entire request URI, including query parameters. This allowed attackers to craft URLs with malicious query strings to bypass authentication. The fix, implemented in version 7.11.0, restricts pattern matching to only the request path. → zeropath.com |
| 2026-04-19 2026 | OAuth SSO WordPress Plugin JWT Bypass (CVE-2025-9485) news 2 min read | Writeup of CVE-2025-9485, a JWT bypass vulnerability in miniOrange's OAuth Single Sign On – SSO (OAuth Client) WordPress plugin. Versions up to and including 6.26.12 improperly verify JWT signatures, allowing attackers to forge tokens and gain administrator access by manipulating the `sub` claim. This flaw, classified as CWE-347, affects thousands of sites using the plugin for integration with providers like Azure AD and Google Workspace. → zeropath.com |
| 2026-04-17 2026 | WebAuthn: Complete Guide to Passwordless, FIDO2, Passkeys (TerraZone) beginner 13 min read | Library detailing WebAuthn, a W3C and FIDO Alliance standard, offers a robust approach to passwordless authentication using public-key cryptography. It explains the core concepts of registration and authentication ceremonies, including the JavaScript API calls involved, and highlights the security benefits derived from public-key cryptography, origin binding, and challenge-response mechanisms, rendering it inherently phishing-resistant. The guide also provides practical advice on integrating WebAuthn passkeys into dApps, contrasting it with traditional wallet-based authentication. |
| 2026-04-17 2026 | What is WebAuthn Standard? Guide to WebAuthn Protocol & API beginner 4 min read | Library detailing the Web Authentication (WebAuthn) standard, a passwordless login API developed by the FIDO Alliance and W3C. WebAuthn uses public-key cryptography, supported by protocols like CTAP, to facilitate secure communication between browsers and authenticators, eliminating reliance on passwords. It integrates with major browsers and companies like Google, Microsoft, and Apple, and is foundational for passkeys, while distinct from authorization protocols like OAuth. |
| 2026-04-17 2026 | Navigating the New Wave of MFA Bypass Attacks in 2025 intermediate 3 min read | Technique analysis detailing prevalent MFA bypass methods in 2025, including prompt bombing, social engineering, and session hijacking. It highlights mitigation strategies such as number matching, restricted requests, IT support verification protocols, secure cookie attributes, and EDR deployment. The entry also recommends phishing-resistant authentication solutions like virtual passkeys, FIDO2 hardware keys (YubiKey, Google Titan), biometrics, risk-based adaptive MFA, and certificate-based authentication. |
| 2026-04-17 2026 | Broken authentication: 7 Advanced ways of bypassing 2-FA (Intigriti) intermediate 7 min read | Library detailing seven advanced methods for bypassing two-factor authentication (2FA) implementations. It covers techniques such as forced browsing, bruteforcing with tools like BurpSuite, exploiting weak or re-usable 2FA tokens, and leveraging vulnerabilities like CSRF, IDOR, and flawed password reset functionalities, including second-order bypasses via path traversal. → intigriti.com |
| 2026-04-17 2026 | Vulnerabilities in multi-factor authentication (PortSwigger) intermediate 4 min read | Reference on multi-factor authentication vulnerabilities, detailing bypass techniques against two-factor authentication (2FA) and multi-factor authentication (MFA). It covers flaws such as skipping the second authentication step, insecure verification logic allowing cookie manipulation, and the risks associated with SMS-based verification codes and SIM swapping. The reference also discusses brute-forcing verification codes and highlights extensions like Burp's Turbo Intruder for exploitation. → portswigger.net |
| 2026-04-17 2026 | Two-Factor Authentication (2FA): Bypass Scenarios (DeepStrike) intermediate 9 min read | Writeup detailing nine real-world scenarios for bypassing two-factor authentication (2FA), including force-browsing to skip checks, code leakage via responses or JavaScript, brute-forcing OTPs with weak rate limits, insecure recovery flows, backup code abuse, CSRF to disable 2FA, weak remember-me tokens, forgotten subdomains, and OAuth/account-linking pitfalls. Each scenario covers the vulnerability, testing methodology, and remediation strategies. |
| 2026-04-17 2026 | Hacking SAML - Vickie Li intermediate | Hacking SAML - Vickie Li |
| 2026-04-17 2026 | SSO Bypass: How Attackers Circumvent Single Sign-On (Obsidian) intermediate 8 min read | Library detailing techniques attackers use to circumvent Single Sign-On (SSO) authentication. This includes vulnerabilities like Golden SAML, which allows forging cryptographically indistinguishable SAML tokens, and SAML signature bypasses that exploit improper validation in service providers, as seen in CVE-2025-47949 and CVE-2024-45409. The analysis also covers XML signature wrapping attacks, token replay, fallback local authentication mechanisms, and direct identity provider compromises, such as the MGM breach via social engineering. |
| 2026-04-17 2026 | CVE-2020-2021 PAN-OS: Authentication Bypass in SAML news 5 min read | Writeup on CVE-2020-2021, detailing an authentication bypass vulnerability in PAN-OS SAML authentication. When the 'Validate Identity Provider Certificate' option is disabled, an unauthenticated network attacker can gain access to protected resources like GlobalProtect, web interfaces, and Prisma Access. The critical severity vulnerability, with a CVSS score of 10.0, affects various PAN-OS versions prior to specific fixes and can be mitigated by ensuring the identity provider certificate is configured and validated. |
| 2026-04-17 2026 | HackerOne Report #812064: SAML authentication bypass (Rocket.Chat) news | HackerOne Report #812064: SAML authentication bypass (Rocket.Chat) → hackerone.com |
| 2026-04-17 2026 | SAML Security (OWASP Cheat Sheet) beginner 18 min read | Cheatsheet detailing Security Assertion Markup Language (SAML) security, focusing on the Web Browser SSO Profile with Redirect/POST bindings. It addresses message confidentiality and integrity via TLS 1.2, digital signatures, and XML encryption to counter eavesdropping, theft, and modification. The guide emphasizes validating protocol usage, referencing the Google SSO vulnerability, and securing signatures against XML Signature Wrapping attacks. It also covers binding implementations, security countermeasures like IP filtering and short lifetimes, and considerations for unsolicited responses and IdP-initiated SSO, identifying attacks such as Man-in-the-middle, Stolen Assertion, and Replay. → cheatsheetseries.owasp.org |
| 2026-04-17 2026 | Fun with SAML SSO vulnerabilities and footguns (WorkOS) intermediate 13 min read | Guide to SAML SSO vulnerabilities and footguns, detailing common security pitfalls in XML-based authentication. It covers risks like GitLab, IBM Data Risk Manager, Mattermost, and PAN-OS SAML vulnerabilities, and recommends countermeasures including limiting SAML payload size, disabling remote DTD loading, and validating SAML response schemas to prevent attacks like XML Signature Wrapping. |
| 2026-04-17 2026 | OAuth 2.0 Common Security Flaws and Prevention (APIsec) beginner 4 min read | Library detailing OAuth 2.0 security flaws and prevention, including redirect URI manipulation, CSRF attacks via missing state parameters, authorization code interception, PKCE downgrade attacks, insecure token storage, credential leakage through URLs, and misuse of OAuth for authentication. It advocates for adopting OAuth 2.1 standards, implementing sender-constrained tokens like DPoP, using well-reviewed libraries, and continuous security testing to mitigate vulnerabilities like those seen in the July 2025 Allianz Life Salesforce breach. |
| 2026-04-17 2026 | Top 10 OAuth 2.0 Hacking Techniques Part 2 intermediate | Top 10 OAuth 2.0 Hacking Techniques Part 2 |
| 2026-04-17 2026 | Vulnerable-OAuth-2.0-Applications (GitHub) beginner 6 min read API Sec | Library demonstrating common security pitfalls in OAuth 2.0 implementations for Classic Web Applications, Single Page Applications, and Mobile Applications. It details the authorization code grant, implicit grant, resource owner password credentials grant, and client credentials grant, highlighting security mistakes developers and architects make. The library includes working examples using the MEAN stack, and provides checklists for architects, developers, and testers to identify and exploit these vulnerabilities. |
| 2026-04-17 2026 | OAuth Vulnerabilities Part II (Bug Bounty 2k25) intermediate | OAuth Vulnerabilities Part II (Bug Bounty 2k25) |
| 2026-04-17 2026 | Bug-Bounty-Methodology: 2FA testing intermediate 2 min read | Library detailing bug bounty methodologies for testing Two-Factor Authentication (2FA). It covers techniques such as response manipulation, OTP brute-forcing, testing token expiration, bypassing 2FA by directly accessing dashboards, and searching for 2FA codes in JS files. Additional methods include CSRF/clickjacking to disable 2FA, bypassing 2FA via OAuth, discovering vulnerabilities in disabling 2FA without it, resetting passwords without 2FA, and exploiting backup code facilities. The guide also explores permanent DoS on unregistered users and OTP bypasses within JSON payloads, including request manipulation for null responses or parameter changes. |
| 2026-04-17 2026 | Bug Bounty: Authentication Testing - Brute Force to Bypass intermediate | Bug Bounty: Authentication Testing - Brute Force to Bypass |
| 2026-04-17 2026 | HackerOne Report #209008: Authentication Bypass - Automattic news | HackerOne Report #209008: Authentication Bypass - Automattic → hackerone.com |
| 2026-04-17 2026 | Web Security Bug Bounty: Bypassing Authentication via Logical Flaw intermediate | Web Security Bug Bounty: Bypassing Authentication via Logical Flaw |
| 2026-04-16 2026 | Attacks via OAuth Authorization Code Injection intermediate AuthZ | Attacks via OAuth Authorization Code Injection |
| 2026-04-16 2026 | This OAuth Bug Earned Me $$$$: Account Takeover via Identity Injection intermediate | This OAuth Bug Earned Me $$$$: Account Takeover via Identity Injection |
| 2026-04-16 2026 | Session Management Vulnerabilities: What Developers Get Wrong beginner 7 min read | Reference detailing common session management vulnerabilities developers introduce, such as session fixation via URL-based tokens and session hijacking through network interception, XSS, or log exposure. It stresses the importance of cryptographically secure pseudorandom number generators for token entropy, unconditional token regeneration upon login, and browser-level cookie security attributes like `Secure`, `HttpOnly`, and `SameSite`. The reference also emphasizes the necessity of both idle and absolute session timeouts, adjusting durations based on risk levels, and recommends against extending primary session tokens for "remember me" functionality. → onsecurity.io |
| 2026-04-16 2026 | Bypassing the Protections: MFA Bypass Techniques intermediate 7 min read | Library detailing Multi-Factor Authentication bypass techniques, including HTTP response body manipulation, status code manipulation, forceful browsing, CSRF and clickjacking to disable MFA, cached OTPs in dynamic JavaScript, missing integrity checks on OTPs, lack of brute-force protection on OTP validation, OTP code reusability, and code leakage in responses. → cobalt.io |
| 2026-04-16 2026 | Session Hijacking in 2025: Techniques, Attack Examples and Defenses intermediate 13 min read | Library for understanding session hijacking, detailing techniques like session sniffing, cross-site scripting (XSS), session fixation, man-in-the-middle attacks, cookie theft via malware, and session ID prediction. It covers the impact of unauthorized session control, distinguishing between session fixation and hijacking, and explores defenses to secure user sessions against these prevalent web application threats. |
| 2026-04-16 2026 | The $12,000 2FA Bypass - So Simple, Yet So Critical intermediate | The $12,000 2FA Bypass - So Simple, Yet So Critical |
| 2026-04-16 2026 | Race Condition Authentication Bypass: Full Account Takeover intermediate | Race Condition Authentication Bypass: Full Account Takeover |
| 2026-04-16 2026 | Token-Based Attacks: How Attackers Bypass MFA intermediate 9 min read | Library for detecting and preventing token theft attacks, which bypass MFA by stealing authentication tokens like OAuth tokens and session cookies. The library details methods such as AiTM (Adversary-in-the-Middle) phishing, OAuth 2.0 Device Authorization Grant exploitation, ConsentFix, malware-based extraction from browsers, and supply chain breaches. It highlights how stolen tokens grant persistent access to SaaS applications and cloud resources, often with broader permissions than intended, and remain undetected by traditional security controls as they represent valid authentication. |
| 2026-04-11 2026 | WebAuthn Guide beginner 12 min read | Guide to Web Authentication API (WebAuthn), a W3C and FIDO specification, detailing its use of public key cryptography for passwordless authentication. It explains how WebAuthn integrates with authenticators like Windows Hello and Touch ID, creating scoped and attested public-private keypairs to enhance security against phishing and data breaches. The guide covers key concepts like challenges, relying parties, user identification, and public key parameters, alongside code examples for credential creation using `navigator.credentials.create()`. |
| 2026-04-11 2026 | OWASP Credential Stuffing Prevention Cheat Sheet beginner 11 min read | Library from OWASP offering a comprehensive cheatsheet for defending against credential stuffing and password spraying attacks. It emphasizes Multi-Factor Authentication (MFA) as the primary defense, detailing tiered implementations and risk-based MFA triggers. For scenarios where MFA isn't feasible, it outlines alternative layered defenses including secondary passwords, CAPTCHAs, and advanced IP mitigation strategies that consider IP classification and geographic origin. The cheatsheet also touches upon device fingerprinting and the importance of defense-in-depth with robust metric collection. → cheatsheetseries.owasp.org |
| 2026-04-11 2026 | OAuth/OIDC Real-Life Attack Scenarios intermediate 7 min read | Writeup detailing real-life attack scenarios against OAuth and OpenID Connect configurations, focusing on JWT vulnerabilities. It covers account takeover by cracking JWT secret keys with tools like John The Ripper or Hashcat and exploiting the 'none' algorithm vulnerability by manipulating unsigned tokens. The writeup also mentions exploit chaining, where finding an exposed `.env` file containing a JWT secret facilitated an attack. |
| 2026-04-11 2026 | OAuth 2.0 Redirect URI Validation Falls Short (ACM) advanced | OAuth 2.0 Redirect URI Validation Falls Short (ACM) → dl.acm.org |
| 2026-04-11 2026 | PortSwigger: Hidden OAuth attack vectors intermediate 12 min read | Research identifies three new OAuth2 and OpenID Connect vulnerabilities: "Dynamic Client Registration: SSRF by design," "redirect_uri Session Poisoning," and "WebFinger User Enumeration." The research details how parameters like `jwks_uri` and `request_uris` in dynamic client registration, and `logo_uri` in MITREid Connect, can be exploited for SSRF. It also touches upon the potential for XSS through the `logo_uri` parameter. → portswigger.net |
| 2026-04-11 2026 | Cloudflare FIDO2 + Zero Trust intermediate 7 min read | Library detailing Cloudflare's migration from a "castle and moat" VPN architecture to a Zero Trust model, replacing TOTP with FIDO2/WebAuthn hardware security keys like YubiKeys. The library explains how FIDO2's phishing-resistant, challenge-response mechanism, which cryptographically binds authentication to specific domains, underpins this transition. It highlights the use of Cloudflare Access for selective enforcement and role-based access control, ultimately leading to the complete phasing out of TOTP and SMS-based MFA in favor of a unified, phishing-proof authentication standard. |
| 2026-04-11 2026 | IOActive: Authentication Downgrade / MFA Bypass intermediate 12 min read | Tool utilizing Cloudflare Workers to perform authentication downgrade attacks against FIDO2/WebAuthn, weaponizing serverless infrastructure as a transparent proxy to manipulate authentication flows. This technique forces victims to fall back to phishable methods like push notifications or OTPs by injecting malicious payloads that alter JSON configuration objects and potentially hide FIDO2 options, a method also observed in attacks by 0ktapus and Scattered Spider. |
| 2026-04-11 2026 | Proofpoint: FIDO Authentication Downgrade intermediate 6 min read | Technique for performing FIDO authentication downgrade attacks, leveraging user agent spoofing with Evilginx to force Microsoft Entra ID users to less secure authentication methods and enable adversary-in-the-middle (AiTM) credential and session cookie theft. |
| 2026-04-11 2026 | How Attackers Bypass Synced Passkeys intermediate 6 min read | Library detailing how attackers bypass synced passkeys through cloud account compromise, phishing proxies, and malicious browser extensions like those exploiting the `webAuthenticationProxy` API or DOM-based clickjacking. It highlights risks with iCloud and Google Cloud syncing, authentication downgrade attacks against Microsoft Entra ID, and the need for device-bound passkeys, recommending enterprise policies to enforce phishing-resistant, device-bound authenticators and block fallback methods. → thehackernews.com |
| 2026-04-11 2026 | CVE-2026-29000: pac4j-jwt Authentication Bypass news 2 min read | Library advisory for CVE-2026-29000 details an authentication bypass in the pac4j-jwt library. Vulnerable versions, specifically prior to 6.3.3, allow attackers to forge JWTs and gain administrative access by encrypting an unsecured JWT with the server’s RSA public key. The vulnerability arises when the `JwtAuthenticator` accepts encrypted JWE tokens and does not enforce signature verification on inner `PlainJWT` types, enabling unauthorized privilege escalation by crafting tokens with arbitrary claims. |
| 2026-04-11 2026 | Convoy KVM JWT Auth Bypass (CVE-2026-33746) news 2 min read | Writeup of CVE-2026-33746 in Convoy KVM, a critical JWT authentication bypass with a CVSS score of 9.8. The vulnerability, affecting versions prior to v4.5.1 utilizing JWT-based SSO, stems from the JWTService::decode() method failing to validate token signatures. Attackers can forge JWT payloads and log in as any user, including administrators, gaining total control over virtual machines and infrastructure. Remediation requires upgrading to Convoy v4.5.1 or later. |
| 2026-04-11 2026 | Okta Auth0 nextjs-auth0 OAuth Parameter Injection news 4 min read | Library providing OAuth parameter injection protection; discovered in Okta’s auth0/nextjs-auth0 by Joshua Rogers, this vulnerability allows attackers to manipulate authentication flows by injecting malicious parameters, potentially leading to unauthorized access and token leaks. The flaw, attributed to AI-generated code lacking sufficient sanitization, impacts Next.js applications using the library, mirroring similar CVE-2025-29927. |
| 2026-04-11 2026 | CVE-2025-47275: Auth0-PHP SDK Critical news | Library for detecting authentication bypass vulnerabilities within the Auth0-PHP SDK, specifically addressing CVE-2025-47275. This critical flaw allows attackers to circumvent authentication mechanisms. → wiz.io |
| 2026-04-11 2026 | Next.js CVE-2025-29927 Authorization Bypass news 2 min read | Writeup on CVE-2025-29927, an authorization bypass vulnerability in Next.js applications where authorization checks are exclusively performed in middleware. The article details potential impact for users of the nextjs-auth0 SDK and recommends auditing code for exclusive middleware reliance, similar to patterns found in NextAuth.js. Remediation involves upgrading Next.js or blocking `x-middleware-subrequest` headers. Applications hosted on Vercel or Netlify, static exports, or those with additional server-side checks are unaffected. |
| 2026-04-11 2026 | Remitly: 0-Click Account Takeover (HackerOne) intermediate | Remitly: 0-Click Account Takeover (HackerOne) → hackerone.com |
| 2026-04-11 2026 | Post SMTP Plugin Account Takeover (400K+) intermediate 3 min read | Writeup on CVE-2025-24000, a Subscriber+ account takeover in Post SMTP plugin versions 3.2.0 and below. The vulnerability arises from broken access control in REST API endpoints, allowing any logged-in user, even Subscribers, to view sensitive email logs and credentials. This enables attackers to intercept password resets and achieve full site takeover. The issue is resolved in version 3.3.0 with an added privilege check for the `get_logs_permission` function. |
| 2026-04-11 2026 | CVE-2025-34291: Langflow ATO + RCE news 7 min read RCE | Library detailing CVE-2025-34291, a critical account takeover and RCE vulnerability in Langflow. This flaw, exploitable via a malicious webpage, chains together permissive CORS settings and a misconfigured `refresh_token_lf` cookie with `SameSite=None` to achieve a full session hijack. Attackers can then leverage a valid access token to trigger the previously disclosed unauthenticated RCE vulnerability in the `/api/v1/validate/code` endpoint, leading to compromise of sensitive tokens and API keys. |
| 2026-04-11 2026 | 0-Click Zendesk Account Takeover Vulnerability intermediate 2 min read | Vulnerability writeup detailing a zero-click account takeover in Zendesk's Android SDK. The flaw stems from predictable JWT tokens generated by combining hardcoded secrets with sequential account IDs, allowing attackers to mass-generate valid authentication tokens. Exploitation grants access to all support tickets and sensitive customer data without user interaction or rate limiting. The ZendeskHelper.g() method is identified as the vulnerable component, with recommendations including high-entropy secrets, rate limits, and mobile auth audits. → cybersecuritynews.com |
| 2026-04-11 2026 | Grafana CVE-2025-6023: Full Account Takeover news 9 min read | Writeup detailing CVE-2025-6023 and CVE-2025-6197, critical vulnerabilities in Grafana. Discovered by a fellow in the OPSWAT Critical Infrastructure Cybersecurity Graduate Fellowship Program, these flaws chain an open redirect with client-side path traversal, leading to Cross-Site Scripting (XSS) and full account takeover. The writeup highlights an incomplete patch for a previous vulnerability, CVE-2025-4123, which left an alternative open redirect endpoint exploitable. |
| 2026-04-11 2026 | Fortinet FortiGate SAML SSO Bypass Active Attack intermediate 2 min read | Analysis of Fortinet FortiGate SAML SSO bypass, actively exploited via CVE-2025-59718 and CVE-2025-59719, which allow unauthenticated bypass of SSO logins using crafted SAML messages when FortiCloud SSO is enabled. Threat actors are using hosting providers like The Constant Company llc and Bl Networks to perform malicious logins and export device configurations. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog. → thehackernews.com |
| 2026-04-11 2026 | CVE-2025-59718: FortiCloud SSO Authentication Bypass news 2 min read | Writeup of CVE-2025-59718, a critical authentication bypass in FortiCloud SSO. This Improper Verification of Cryptographic Signature (CWE-347) vulnerability allows unauthenticated remote attackers to achieve administrative access by submitting a crafted SAML packet to the `/remote/saml/login` endpoint. The flaw impacts multiple Fortinet products including FortiOS and FortiProxy. → picussecurity.com |
| 2026-04-11 2026 | CVE-2025-47949: samlify SAML SSO bypass news 4 min read | Library that implements SAML 2.0 Single Sign-On, samlify, versions prior to 2.10.0 are vulnerable to CVE-2025-47949, a critical Signature Wrapping attack. This allows attackers to forge SAML Responses by introducing a malicious assertion into a legitimately signed XML document, leading to authentication bypass and user impersonation. Exploitation is easy, requiring only a valid signed XML from the Identity Provider. Upgrading to samlify version 2.10.0 or later is the recommended fix. |
| 2026-04-11 2026 | Sign in as anyone: Bypassing SAML SSO authentication with parser differentials intermediate 12 min read | Library for bypassing SAML SSO authentication by exploiting parser differentials in ruby-saml (versions up to 1.17.0), leading to CVE-2025-25291 and CVE-2025-25292. Attackers can craft SAML assertions using a valid signature to achieve account takeover. Researchers discovered that ruby-saml uses both REXML and Nokogiri XML parsers, and exploiting differences in how they process XML allowed for signature verification bypass, as demonstrated against GitLab. → github.blog |
| 2026-04-11 2026 | GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487) news 9 min read | Library analyzing GitHub Enterprise's SAML implementation, detailing CVE-2024-4985 and CVE-2024-9487 which allow bypassing authentication with encrypted assertions through improper signature verification. The research locally recreates the SAML handling, identifies issues in the `build` method's signature extraction logic, and examines how the `valid?` function processes signatures to bypass validation by exploiting the order of operations during decryption and signature checking. → projectdiscovery.io |
| 2026-04-10 2026 | Semrush OAuth redirect_uri bypass via IDN homograph — HackerOne #861940 intermediate | Semrush OAuth redirect_uri bypass via IDN homograph — HackerOne #861940 → hackerone.com |
| 2026-04-10 2026 | Slack OAuth2 redirect_uri bypass — HackerOne #2575 intermediate | Slack OAuth2 redirect_uri bypass — HackerOne #2575 → hackerone.com |
| 2026-04-10 2026 | Cisco Talos: State-of-the-art phishing — MFA bypass intermediate 9 min read | Library for detecting and defending against state-of-the-art phishing attacks that bypass multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) techniques. It covers how Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Evilproxy facilitate these attacks by intercepting credentials and authentication cookies via reverse proxies. The library also highlights WebAuthn as a strong defense against MFA bypass. → blog.talosintelligence.com |
| 2026-04-10 2026 | Bugcrowd: How attackers bypass multi-factor authentication (Part 1) intermediate | Bugcrowd: How attackers bypass multi-factor authentication (Part 1) → bugcrowd.com |
| 2026-04-10 2026 | webauthn.me: WebAuthn and Passkeys guide beginner 2 min read | Guide to WebAuthn and passkeys detailing their relationship, technical implementation, and use cases. Passkeys, a phishing-resistant passwordless authentication method, leverage the WebAuthn specification to enable secure user logins. The guide breaks down device-bound and synced passkeys, explaining their respective security implications and user experience benefits, and highlights how WebAuthn, alongside CTAP2, facilitates cross-device authentication. |
| 2026-04-10 2026 | FIDO Alliance: Passkeys overview beginner 12 min read | Library detailing Passkeys, a FIDO authentication credential leveraging public key cryptography to replace passwords with phishing-resistant cryptographic key pairs. Passkeys enable faster, simpler, and more secure sign-ins across devices, reducing credential stuffing, phishing attacks, and login abandonment. Resources include guides, use cases, design guidelines, and user communication materials for implementation. |
| 2026-04-10 2026 | Hackmanit: XML Signature Validation Bypass in SimpleSAMLphp and xmlseclibs intermediate 1 min read | Writeup details an XML signature validation bypass vulnerability impacting SimpleSAMLphp and xmlseclibs. This security flaw allows attackers to forge XML signatures, potentially leading to authentication bypass and unauthorized access to sensitive information within affected systems. |
| 2026-04-10 2026 | epi052: How to Hunt Bugs in SAML — A Methodology (Part II) intermediate | epi052: How to Hunt Bugs in SAML — A Methodology (Part II) |
| 2026-04-10 2026 | IBM: What is XML Signature Wrapping? beginner 9 min read | Library detailing XML Signature Wrapping (XSW) attacks, a vulnerability class impacting applications using XML-based security protocols like SAML, SOAP, and WS-Security. These attacks exploit XML's structural flexibility to trick systems into processing unauthenticated data while maintaining signature validity. The library covers attack methods such as element wrapping, ID attribute manipulation, namespace abuse, and XPath injection, highlighting their potential consequences like unauthorized access and privilege escalation through scenarios involving SAML SSO and SOAP web services. |
| 2026-04-10 2026 | USENIX: On Breaking SAML — Be Whoever You Want to Be advanced | USENIX: On Breaking SAML — Be Whoever You Want to Be |
| 2026-04-10 2026 | Astrix Security: How attackers exploit OAuth — a deep dive (Part 2) intermediate 8 min read | Library detailing how attackers exploit OAuth, focusing on non-human identities. It explains the OAuth flow, consent fatigue, and the over-granting of scopes and privileges. The library highlights how these vulnerabilities, coupled with inadequate protection of API keys, OAuth tokens, and service accounts, create a significant attack surface, allowing threat actors to bypass traditional security measures like MFA and gain unauthorized access to sensitive data. |
| 2026-04-10 2026 | The Hacker Recipes: OAuth 2.0 beginner 2 min read | Reference on OAuth 2.0 security, detailing common misconfigurations like insufficient redirect URI validation and credential leakage via referer headers or browser history. It explains attack vectors such as Authorization Code Injection and CSRF when the `state` parameter is absent, and highlights countermeasures including PKCE and `nonce` usage. |
| 2026-04-10 2026 | Security Innovation: Pentester's Guide to Evaluating OAuth 2.0 intermediate 14 min read | Guide detailing how to evaluate custom OAuth 2.0 implementations from a security perspective. It breaks down the Authorization Code Grant flow, explaining the roles of Access Tokens, Authorization Codes, Client IDs, Client Secrets, Redirect URIs, and State parameters. The guide then enumerates specific test cases, focusing on insufficient Redirect URI validation which can lead to the theft of authorization codes and states, allowing for potential account takeover or unauthorized resource access. |
| 2026-04-10 2026 | 0xn3va: OAuth 2.0 Vulnerabilities cheat sheet intermediate | 0xn3va: OAuth 2.0 Vulnerabilities cheat sheet → 0xn3va.gitbook.io |
| 2026-04-10 2026 | Cobalt: OAuth Vulnerabilities Part 2 intermediate 8 min read | Writeup detailing common OAuth vulnerabilities, including CSRF attacks mitigated by state parameters, authorization code theft via malicious websites and insecure redirect URIs, and authentication bypass in implicit flows by manipulating POST requests. It also covers SSRF via OpenID dynamic client registration, highlighting insecure use of client data and bypass techniques for redirect URIs. → cobalt.io |
| 2026-04-10 2026 | Vaadata: Understanding OAuth 2.0 and its common vulnerabilities beginner 10 min read | Library detailing OAuth 2.0, its function as an authorization protocol for resource access and delegated authentication, and common implementation vulnerabilities. It explains the roles of users, client applications, and authorization servers, and introduces OpenID Connect as an extension for standardized authentication using signed JSON Web Tokens (JWS) and claims. The resource highlights that while OAuth 2.0 and OIDC offer significant advantages, improper implementation can lead to security risks, emphasizing that vulnerabilities stem from how the protocols are applied rather than the protocols themselves. → vaadata.com |
| 2026-04-10 2026 | Doyensec: Common OAuth Vulnerabilities beginner 13 min read API Sec | Checklist for identifying common OAuth vulnerabilities, detailing attacks against the Implicit Flow, Authorization Code Flow, Authorization Code Flow with PKCE, Client Credentials Flow, Device Authorization Flow, and Resource Owner Password Credentials Flow. This resource helps testers and developers assess implementation security by explaining protocol complexities and known attack vectors. → blog.doyensec.com |
| 2026-04-10 2026 | OWASP WSTG: Testing for Session Fixation intermediate 4 min read | Reference detailing OWASP WSTG procedures for testing session fixation vulnerabilities. This guide outlines how to identify and exploit scenarios where session cookies are preserved across authentication, allowing attackers to impersonate users by forcing session IDs. It covers techniques for network attackers, the impact of session cookie integrity, and remediation strategies such as refreshing session tokens upon login. The document recommends using full HSTS adoption or __Host-/ __Secure- prefixes to prevent such attacks. → owasp.org |
| 2026-04-10 2026 | OWASP: Session Fixation Protection beginner 3 min read | Reference outlining a technique for protecting against session fixation attacks in classic ASP. The method involves using a secondary cookie, named "ASPFIXATION," to store a random value that is synchronized with a session variable. When the values do not match, indicating a potential attack, the user is redirected to the login page. The implementation uses a `RandomString` function for generating random values and `AntiFixationInit` and `AntiFixationVerify` subroutines for initializing and verifying the cookie and session values, respectively. → owasp.org |
| 2026-04-10 2026 | OWASP: Session fixation attack beginner 3 min read | Reference on Session Fixation attacks, a vulnerability where an attacker hijacks a valid user session by tricking the user into authenticating with a pre-determined session ID. The article details techniques such as embedding session tokens in URLs, hidden form fields, cookies via client-side scripting (like XSS) or META tags, and manipulating HTTP response headers with `Set-Cookie`. It contrasts this with session hijacking, emphasizing that fixation occurs before user login. → owasp.org |
| 2026-04-10 2026 | OWASP Top 10 A07: Identification and Authentication Failures beginner 2 min read | Reference on OWASP Top 10 A07: Identification and Authentication Failures, this entry details risks including credential stuffing, brute force, weak passwords, and improper session management. Prevention strategies emphasize multi-factor authentication, avoiding default credentials, implementing strong password policies aligned with NIST 800-63b, hardening against account enumeration, and secure session handling. Attack scenarios illustrate vulnerabilities like exposed session identifiers and insufficient logout invalidation. → owasp.org |
| 2026-04-10 2026 | OWASP Session Management Cheat Sheet beginner 33 min read | Reference for OWASP Session Management covering secure generation of session IDs with sufficient entropy (at least 64 bits) and appropriate length to prevent brute-force guessing attacks. It also details avoiding predictable session ID content that could lead to information disclosure and recommends generic session ID names to prevent fingerprinting of web application technologies like PHP, J2EE, and ASP.NET. → cheatsheetseries.owasp.org |
| 2026-04-10 2026 | OWASP Authentication Cheat Sheet beginner 22 min read | Cheatsheet detailing secure authentication practices, covering user ID generation, username policies, password strength enforcement (including length and character set recommendations, blocking breached passwords via services like Pwned Passwords, and utilizing libraries like zxcvbn-ts), secure password storage and comparison, password recovery mechanisms, and the imperative of transmitting credentials exclusively over TLS. It also emphasizes re-authentication for sensitive actions to prevent CSRF and session hijacking. → cheatsheetseries.owasp.org |
| 2026-04-10 2026 | The Fragile Lock: Novel Bypasses for SAML Authentication | PortSwigger Research advanced 13 min read | Tool for bypassing SAML authentication, this library exploits parser-level inconsistencies in the Ruby and PHP SAML ecosystems. Novel techniques, including attribute pollution, namespace confusion, and Void Canonicalization attacks, enable attackers to bypass XML Signature validation while presenting valid SAML documents to applications. The toolkit aids in identifying discrepancies between XML parsers, facilitating the discovery of authentication bypasses with minimal requirements. → portswigger.net |
| 2026-04-10 2026 | PortSwigger: OAuth 2.0 authentication vulnerabilities intermediate 18 min read | Reference detailing OAuth 2.0 authentication vulnerabilities, explaining how this framework, commonly used for social media logins, is prone to implementation mistakes. The content covers how attackers can exploit these flaws to gain access to sensitive user data or bypass authentication, with a focus on the authorization code and implicit grant types. It also touches upon vulnerabilities within the OpenID Connect extension and provides guidance for mitigating these risks. → portswigger.net |
| 2026-04-03 2026 | Authn vs. authz: How are they different? beginner AuthZ | Authentication (authn) refers to identity, while authorization (authz) has to do with permissions. Learn about the difference between authn vs. authz in more detail. |
| 2026-01-31 2026 | Authentication Fundamentals: Part I beginner 5 min read | Library covering fundamental authentication techniques, including password-based systems, HTTP Basic Access Authentication, session-cookie management, token-based approaches, API keys, One-Time Passwords (OTP), Time-Based One-Time Passwords (TOTP), and federated identity with Single Sign-On (SSO). It details the mechanisms, pros, and cons of each, referencing the 23AndMe breach as an example of password reuse vulnerability. |
| 2026-01-27 2026 | Hunting Account Takeovers in the Wild West of MCP OAuth Servers" advanced 6 min read AI | Library for discovering and exploiting misconfigured OAuth implementations in MCP (Model Context Protocol) servers, commonly used to connect AI assistants like ChatGPT and Claude to third-party services. The library identifies vulnerabilities arising from open Dynamic Client Registration (DCR), missing redirect URI validation, and optional PKCE enforcement, which collectively enable one-click account takeover attacks where attackers can register malicious clients, craft deceptive authorization URLs, and intercept tokens without robust authentication. |
| 2026-01-21 2026 | OAuth 2.0 Course for Beginners beginner AuthZ | Course on OAuth 2.0 for beginners, detailing the authorization framework and its four roles: Resource Owner, Client, Auth Server, and Resource Server. It covers the importance of PKCE, project setup, building authorization and resource servers, and the client app using Authorization Code flow with PKCE. Debugging common errors like JWKS and Axios 400 issues, along with best practices and repository setup, are also included. |
| 2025-10-27 2025 | Stealing Microsoft Teams access tokens in 2025 intermediate 3 min read JWT | Writeup detailing how to extract Microsoft Teams access tokens by targeting the `msedgewebview2.exe` process, which writes encrypted cookies containing DPAPI-protected keys to a local state file. The technique leverages Sysinternals ProcMon to locate cookie writes, analyzes the `Cookies` database for encrypted values, and uses the DPAPI key to decrypt them with AES-256-GCM, similar to methods described for Chromium. The extracted tokens can then be used to interact with Microsoft Graph API endpoints or with post-exploitation tools like GraphSpy for actions such as reading or sending messages. |
| 2025-10-22 2025 | Beyond credentials: weaponizing OAuth applications for persistent cloud access | Proofpoint US advanced 7 min read AuthZ | Tool for automating the creation of malicious internal OAuth applications, enabling persistent cloud access even after credential resets or MFA enforcement. Proofpoint researchers developed this tool to demonstrate how threat actors can hijack user accounts by registering second-party applications, configuring custom scopes, and authorizing them to access critical resources, thus bypassing traditional security measures and evading detection. |
| 2025-09-29 2025 | Using Google Login With Flask intermediate | Library for integrating Google OAuth 2 and OpenID Connect into Flask applications, enabling users to log in with their Google identity instead of creating new accounts. This course guides you through building a Flask web application, managing user sessions with Flask-Login, and understanding the underlying OAuth 2 and OIDC protocols. → realpython.com |
| 2025-09-06 2025 | Cookie Chaos: How to bypass __Host and __Secure cookie prefixes intermediate 4 min read | Library for testing __Host and __Secure cookie prefix bypasses. It details how discrepancies between browser and server cookie parsing logic, such as UTF-8 encoding of whitespace characters (U+2000) and legacy parsing behaviors triggered by $Version=1, can allow attackers to inject high-privilege cookies from untrusted origins. Frameworks like Django and ASP.NET, and servers like Apache Tomcat and Jetty, are noted as potentially vulnerable. A Burp Suite Custom Action is provided to detect these conditions. → portswigger.net |
| 2025-09-05 2025 | Better Auth: The Game‑Changer JS Authentication Has Been Waiting For | daily.dev intermediate | Library for framework-agnostic JavaScript authentication, Better Auth, operates within your application and stores user data in your own database. It integrates email/password, social SSO, 2FA, passkeys, and multi-session support via a plugin system. This approach bypasses per-user costs and vendor lock-in, granting complete control over authentication, and is compatible with Next.js, Remix, Nuxt, and SvelteKit. |
| 2025-09-05 2025 | Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO | daily.dev beginner AuthZ JWT | Reference explaining authentication and authorization models, detailing RBAC, ABAC, and ACL as primary authorization methods. It highlights OAuth2 for delegated access, and JWTs/bearer tokens for carrying identity and permissions. The entry emphasizes selecting the appropriate combination of these mechanisms based on application complexity and security needs, citing real-world examples like GitHub and Stripe. |
| 2025-08-06 2025 | ByteByteGo | OAuth 2.0 Explained With Simple Terms beginner | Library explaining OAuth 2.0, a secure framework enabling applications to interact on behalf of users without sharing credentials. It details entities like the User, Server, and Identity Provider (IDP), and how OAuth tokens facilitate Single Sign-On (SSO) and authorization across systems, allowing controlled access to user profile information. |
| 2025-06-09 2025 | Understanding Mutual TLS (MTLS) Authentication: How It Works beginner | Learn how mutual TLS (mTLS) works by exchanging and verifying digital certificates between client and server for data transmission in a network. |
| 2025-05-07 2025 | Using JWTs in Python Flask REST Framework | AppSignal Blog intermediate 8 min read API Sec Python | Library for building JWT-authenticated REST APIs in Python Flask. It explains JWT components (header, payload, signature) and their security benefits like stateless sessions and integrity verification. The guide demonstrates implementing user registration, login with token issuance, and securing endpoints using `@jwt_required()` and `get_jwt_identity()` via the `Flask-JWT-Extended` library. It also covers CRUD operations for a to-do list API and how to manage token expiration and refreshes for extended user sessions. |
| 2025-05-03 2025 | Fortress Login Pro – Secure, Hide & Rename Login URL intermediate 3 min read | Library for WordPress security that hides and rotates the login URL, preventing brute-force attacks. It offers features like custom login paths, auto-rotating slugs with a dual-slug fail-safe, access logging with IP and user-agent tracking, and an optional `.htaccess` toggle for blocking direct access to installation files. The library is compatible with popular WordPress plugins like WooCommerce and security tools such as Wordfence. |
| 2025-02-23 2025 | GitHub - goauthentik/authentik: The authentication glue you need. beginner | Library for open-source Identity Provider (IdP) functionality, supporting SAML, OAuth2/OIDC, LDAP, and RADIUS. It's designed for self-hosting and can replace enterprise solutions like Okta, Auth0, Entra ID, and Ping Identity. Deployment options include Docker Compose, Kubernetes via Helm chart, AWS CloudFormation, and DigitalOcean Marketplace for scalable identity management. The project also offers developer documentation for local setup and contributions, along with a SECURITY.md file. |
| 2025-02-10 2025 | GitHub - steveiliop56/tinyauth: The simplest way to protect your apps with a login screen. beginner 2 min read | Library for authentication and authorization, Tinyauth offers OAuth, LDAP, and access-control support as middleware or a standalone server. It integrates with proxies like Traefik, Nginx, and Caddy. Documentation, guides, and a demonstration `docker-compose` file are available, showcasing its capabilities with Traefik and Whoami. A demo login uses "user" / "password". |
| 2024-12-22 2024 | The long and winding road to safe browser-based cryptography advanced 7 min read | Library for securing browser-based cryptography, addressing the critical problem of untrusted JavaScript delivery by compromised servers. It reviews existing attempts like Subresource Integrity and the Web Crypto API, highlighting their limitations. Case studies of attacks on MyEtherWallet and the implications of court orders for encrypted email providers Tuta and Proton illustrate the risks. The library focuses on integrity validation for web applications within the browser, aiming to provide users with assurance that the code they execute is legitimate, drawing inspiration from efforts like Meta's Code Verify and the WAIT prototype. |
| 2024-12-10 2024 | Sign in with Azure CLI using a service principal intermediate 1 min read | Reference for authenticating with Azure CLI using service principals, detailing the requirements for signing in via client secrets or X509 certificates. It includes command examples for both `az login` with a client secret and certificate-based authentication, and provides methods for securely handling credentials in Bash and PowerShell scripts, emphasizing the use of `read -s` and `Get-Credential`. |
| 2024-11-26 2024 | The OAuth Oversight: When Configuration Errors Turn into Account Hijacks intermediate API Sec | Hey folks I hope you are doing well. I am back with another writeup on OAuth misconfiguration leads to account takeover. The PoC is… |
| 2024-10-22 2024 | An Illustrated Guide to OAuth and OpenID Connect beginner 6 min read | Reference explaining OAuth 2.0 authorization and OpenID Connect (OIDC) authentication. It details the authorization code flow, client IDs and secrets, scopes, consent forms, and the use of Access Tokens and ID Tokens (JWTs) for identity information, facilitating single sign-on scenarios across applications. |
| 2024-10-15 2024 | Using Flask-Login for User Management with Flask – Real Python beginner 4 min read | Learning Path that guides Python developers through building complete Flask applications, covering foundational skills in HTML, CSS, and Jinja templating. It progresses to creating scalable Flask web applications with databases, developing REST APIs using Flask, Connexion, and SQLAlchemy, and integrating JavaScript front ends. The path also includes tutorials on adding logging and notification messages, and deploying Flask applications to the web using Heroku. → realpython.com |
| 2024-10-03 2024 | Automate your API hacking with Autorize intermediate 6 min read API Sec AuthZ | Library for automatically detecting broken object level authorization (BOLA) and other access control issues in APIs. Autorize, a Burp Suite extension, simplifies authorization testing by repeatedly sending requests with modified header values representing low-privileged, high-privileged, and unauthenticated users. It then analyzes response differences to identify potential vulnerabilities, offering configurable filters and integration with Burp's Repeater. → danaepp.com |
| 2024-09-30 2024 | Broken Authentication: A Common Vulnerability Exposing User Accounts beginner | Exploiting Weak Authentication Mechanisms to Compromise User Access → cyberw1ng.medium.com |
| 2024-09-22 2024 | GitHub - azukaar/Cosmos-Server: ☁️ The Most Secure and Easy Selfhosted Home Server. Take control of your data and privacy without sacrificing security and stability (Authentication, anti-DDOS, anti-bot) beginner 10 min read | Library for self-hosting home servers that secures applications with features like SmartShield technology for dynamic rate limiting, adaptive actions, user bans, and global request control. It offers an app store, storage management, reverse proxy with automatic HTTPS, multi-factor authentication via OpenID, and built-in anti-bot and anti-DDOS protections. SDKs for JavaScript/TypeScript and Go, along with a Terraform provider, are available for programmatic access and automation. |
| 2024-09-14 2024 | Unlocking OAuth Security intermediate API Sec | In this blog, we will uncover the different oauth security implications on both the client applications and the oauth server. → infosecwriteups.com |
| 2024-09-06 2024 | Discover Flask, Part 2 – Creating a Login Page – Real Python beginner 4 min read | Learning Path: This resource guides Python developers through building Flask web applications, covering foundational HTML, CSS, and Jinja templating. It progresses to creating scalable applications, adding logging, integrating databases with SQLAlchemy, and developing REST APIs using Flask and Connexion, with a specific mention of testing via Swagger UI. The path also includes frontend integration with JavaScript and deployment using Heroku. → realpython.com |
| 2024-09-05 2024 | JWT vs PASETO: New Era of Token-Based Authentication intermediate API Sec JWT | This article delves into a comprehensive comparison of Paseto and JWT, dissecting their core functionalities, security features, and… |
| 2024-08-28 2024 | GitHub - mkalioby/django-mfa2: A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Webauthn), Email Token and Trusted Devices beginner 5 min read Python | Library for implementing multi-factor authentication (MFA) in Django applications. It supports TOTP, U2F, FIDO2 (WebAuthn), Email Tokens, and Trusted Devices, leveraging technologies like WebAuthn and Windows Hello for secure authentication. The library is configurable via `settings.py` and requires integration into Django's URL patterns and templates. |
| 2024-08-16 2024 | Securing OAuth 2.0 Token Exchange Flow with Keycloak intermediate API Sec JWT | RFC 8693: Token Exchange describes a mechanism for exchanging an existing token (JWT) for a new token with different issuing client id… |
| 2024-07-30 2024 | OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover intermediate API Sec XSS | An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites. → darkreading.com |
| 2024-07-26 2024 | Release v0.3.0 · joaovitoriasilva/endurain news 1 min read Python | Library release v0.3.0 of Endurain introduces significant updates including OAuth scopes, multi-client support, PWA integration, theme and language switchers, and dependency bumps to Python 3.12. This release also involves crucial changes to password hashing mechanisms and database schema, requiring user intervention and backups during the update process. |
| 2023-12-16 2023 | Google OAuth is broken (sort of) intermediate 10 min read | Writeup on a Google OAuth vulnerability allowing former employees indefinite access to applications like Slack and Zoom post-offboarding. This exploit leverages the ability to create non-Gmail Google accounts using corporate email aliases and plus sign forwarding, bypassing organizational de-provisioning. Google's documentation advises against using email as an identifier, yet this flaw highlights the risks of relying on the email claim for authentication. Potential mitigations include organizations enforcing SAML, service providers utilizing the HD claim or disabling just-in-time provisioning, and Google banning specific account creation methods. → trufflesecurity.com |
| 2023-12-13 2023 | Advancing iMessage security: iMessage Contact Key Verification intermediate 9 min read | Library for iMessage Contact Key Verification, a feature that strengthens end-to-end encryption by automatically detecting sophisticated attacks against iMessage servers and allowing users to verify communication with intended recipients. This system leverages Key Transparency (KT) and a verifiable log-backed map data structure, similar to WhatsApp's Auditable Key Directory (AKD), to ensure cryptographic proofs of inclusion and consistency. User devices autonomously verify data presented by the Identity Directory Service (IDS) against the KT map, notifying users of errors if both parties have the feature enabled. |
| 2023-12-01 2023 | GitHub OAuth in your Python Flask app intermediate 3 min read | Guide on integrating GitHub OAuth into Flask applications using Supabase-py. This resource details setting up a Flask session storage for JWTs, initiating the Supabase client with PKCE flow, and creating sign-in and callback routes to manage user authentication via GitHub. |
| 2023-11-26 2023 | Unveiling the Mechanics of Session Hijacking: A Step-by-Step Guide to Capture and Exploit Cookies beginner | Unveiling the Mechanics of Session Hijacking: A Step-by-Step Guide to Capture and Exploit Cookies https://ift.tt/of3VUnE |
| 2023-11-17 2023 | doyensec/Session-Hijacking-Visual-Exploitation intermediate 3 min read | Tool for performing session hijacking by injecting malicious JavaScript. It offers interactive and visual exploitation modes, allowing users to access websites within a victim's browser context or observe their activity. The tool supports advanced exploitation via office document templates (.docm, .pptm, .xslm) to inject macros and an HTML template for exploiting CORS misconfigurations. Recommended Node.js version is 19.0.0. |
| 2023-11-17 2023 | Using Google Login With Flask (Overview) beginner | Tutorial on integrating Google Login with Flask, enabling users to authenticate using their Google identity. This approach simplifies user management, enhancing security compared to traditional username and password systems. The tutorial guides learners through creating a Flask application, setting up Google client credentials, and leveraging Flask-Login for session management, while also clarifying OAuth 2 and OpenID Connect (OIDC) concepts. → realpython.com |
| 2023-11-17 2023 | PHP and OAuth: User Authentication and Authorization beginner 9 min read | Library implementing OAuth 2.0 in PHP, detailing secure authorization flows, state management, CSRF protection, and token handling. It leverages The PHP League's OAuth 2.0 Client library, including specific providers like `league/oauth2-google`, to integrate with services such as Google's "Sign in with Google." The guide covers architecting authentication, exchanging authorization codes for access tokens, retrieving user data, and managing token refresh, with practical examples and project structure suggestions. |
| 2023-11-17 2023 | Login with Google Account using PHP beginner 6 min read | Library for integrating Google Account login into PHP web applications. It leverages the Google API PHP Client library to manage OAuth 2.0 authentication, enabling users to sign in with their Google credentials without requiring registration. The library facilitates user data storage in a MySQL database, including fields for first name, last name, email, and Google's unique identifier. Configuration involves setting up API credentials and redirect URIs within a `config.php` file, and a `User.class.php` handles database operations for user checking, insertion, and updates. |
| 2023-11-14 2023 | PHP Google OAuth Login beginner 4 min read | Tutorial on implementing Google OAuth 2.0 login in PHP applications. This guide details the process of setting up Google API credentials, integrating the PHP Google API client library, and writing code to handle authentication requests, retrieve user data, and manage user sessions. It covers creating a Google API project, obtaining client IDs and secrets, and utilizing the `Google_Client` and `Google_Service_Oauth2` classes for seamless user sign-in. |
| 2023-11-14 2023 | The PHPer's Guide to OAuth beginner 16 min read | Library for implementing OAuth in PHP applications, detailing the protocol's purpose, actors, scopes, and grant types, with a focus on the Authorization Code grant. It showcases a sample project using `league/oauth2-client` and `league/oauth2-server` to build client, authorization, and resource servers, enabling secure delegated access to APIs like Twitter, PayPal, and GitHub. |
| 2023-11-03 2023 | Burp Suite Shorts | Automatic Session Handling intermediate Burp | Burp Suite Shorts | Automatic Session Handling https://www.youtube.com/watch?v=yoENNJjC4NY&t=1s |
| 2023-11-03 2023 | Burp Suite Shorts | Automatic Session Handling intermediate Burp | Burp Suite Shorts | Automatic Session Handling https://www.youtube.com/watch?v=yoENNJjC4NY |
| 2023-10-24 2023 | Spoofing Microsoft 365 Like Its 1995 advanced 6 min read | Technique for spoofing Microsoft 365 emails by leveraging Microsoft Direct Send and Exchange Online Protection (EOP) settings. This method allows sending emails from internal or external addresses to other internal recipients within an organization by utilizing the mail.protection.outlook.com smart host and port 25, effectively bypassing many third-party mail gateways and landing emails directly in the inbox. The technique can be executed via PowerShell commands and easily rotated IP addresses, such as through Azure Cloud Shell. |
| 2023-10-17 2023 | enumerating 24 million users intermediate 14 min read Recon | Library for enumerating Microsoft OneDrive users, achieving the enumeration of 24 million users. This method leverages simple HTTP requests to identify valid users without requiring authentication or leaving visible logs, making it effective for large-scale data gathering. The project highlights Microsoft's stance that user enumeration is not a security vulnerability, and it details the infrastructure setup using VPS servers, a database, and web interfaces, along with tools like AAD-Internals and TREVORspray for tenant and domain information discovery. |
| 2023-10-09 2023 | What is OAuth (The Modern Guide) beginner 69 min read API Sec | Guide to OAuth 2.0, this resource details real-world integrations and implementations beyond the core specifications. It covers eight common OAuth modes including local, third-party, and enterprise login/registration, as well as service authorization and machine-to-machine authentication. The guide differentiates OAuth from SAML, clarifying its role as an authorization system with authentication layered on top via OpenID Connect. It provides practical guidance for developers on selecting the appropriate OAuth mode for their specific application needs. |
| 2023-09-20 2023 | Episode 99: OAuth 2 and Authentication Choices for Your Python Project beginner 2 min read Python | Talk about authentication systems and OAuth 2 for Python projects, covering setup, device grants, social login, and privacy concerns. It mentions FusionAuth, oauthlib, Django OAuth Toolkit, Flask-Login, and relevant RFCs like 6749 and 6750, as well as OpenID Connect. → realpython.com |
| 2023-09-20 2023 | How to Authenticate using Keys BasicAuth OAuth2 inPython intermediate 1 min read Python | Library for authenticating Python applications using Keys, BasicAuth, and OAuth2. This resource details implementing these authentication methods, focusing on practical application for developers seeking secure and robust authorization strategies. |
| 2023-09-06 2023 | Results of Major Technical Investigations for Storm-0558 Key Acquisition news Secrets | Results of Major Technical Investigations for Storm-0558 Key Acquisition https://ift.tt/ikRNGrj |
| 2023-09-03 2023 | GitHub - dirkjanm/adidnsdump: Active Directory Integrated DNS dumping by any authenticated user intermediate AuthZ | Library for Active Directory Integrated DNS dumping, allowing any authenticated user to enumerate and export all DNS records in Domain or Forest DNS zones for internal network reconnaissance. It requires impacket and dnspython for functionality and can be installed via pip or from Git. The tool supports direct network use or operation via an implant using proxychains with the `--dns-tcp` option. |
| 2023-09-01 2023 | Spraying the Microsoft Cloud intermediate AuthZ | Adversaries continue to probe and make entry via the cloud perimeter of organisations. Multi-Factor Authentication (MFA) and additional… |
| 2023-05-21 2023 | JWT (Json Web Token) Audience aud versus Client_Id - What's the difference? beginner 3 min read JWT | Reference explaining the JWT `aud` (Audience) claim, detailing its purpose in identifying intended recipients according to RFC 7519. It highlights that the `aud` claim is optional and application-specific, requiring recipients to validate if their identifier is present in the claim's string or array values. The entry clarifies that `aud` differs from OAuth Client ID and provides an example of using it to distinguish between access and refresh tokens. → stackoverflow.com |
| 2023-05-21 2023 | Authentication authorization and security in SharePoint beginner 4 min read AuthZ | Reference document detailing SharePoint's robust authentication and authorization framework. It covers role-based security management at website, list, folder, and item levels, supporting unique permissions. SharePoint integrates with external systems like Windows authentication (Kerberos, NTLM) and ASP.NET Forms-based authentication, enabling claims-based identity for cross-platform compatibility and single sign-on. The system leverages membership and role providers, with custom authentication relying on a security token service to generate user tokens based on validated credentials and group memberships. |
| 2023-05-09 2023 | Seven Common Ways To Bypass Login Page intermediate AuthZ | Seven Common Ways To Bypass Login Page https://ift.tt/8PI0ers |
| 2023-04-13 2023 | OWASP Proactive Controls 2023/2024 v1 beginner API Sec AuthZ | OWASP Proactive Controls 2023/2024 v1 https://ift.tt/xVAnFY5 → docs.google.com |
| 2023-04-10 2023 | How to Implement OAuth 2.0 Login for Python Flask Web Server Applications intermediate 4 min read API Sec Python | Walkthrough of implementing OAuth 2.0 single sign-on for Python Flask web applications using Google. This guide details enabling Google APIs, creating OAuth Client IDs, securely storing credentials, and configuring Flask with libraries like `Flask-OAuthlib` and `oauthlib`. It covers setting up redirect URIs, environment variables for `GOOGLE_CLIENT_ID` and `GOOGLE_CLIENT_SECRET`, and essential Flask application code for handling the Google login flow and user information retrieval. |
| 2023-04-05 2023 | OAuth 2.0 beginner 4 min read API Sec | Library documentation for OAuth 2.0 within the Google APIs Client Library for Python. It details acquiring client IDs, secrets, and utilizing the `google-auth-oauthlib` library for authorization flows, including `InstalledAppFlow` for local applications. The entry outlines the purpose of `Flow` classes in obtaining credentials, handling browser redirects, exchanging authorization codes for `Credentials` objects, and applying these credentials to API calls. It also mentions `google-auth` for credentials management and service account usage. |
| 2022-05-17 2022 | Favorite tweet by @nillkitty beginner | Favorite tweet: What's all this Kerberos nonsense that happens (or doesn't) when you type your password into Windows? https://t.co/sPI2DIbWU7 — Nill (@nillkitty) May 17, 2022 |
| 2021-12-25 2021 | Social Sign-in beginner | Social Sign-in |
| 2021-12-05 2021 | EthPress Web3 Login beginner 8 min read | Plugin that enables cryptocurrency wallet logins for WordPress, supporting MetaMask and WalletConnect for EVM-compatible blockchains. It creates standard user accounts and can restrict access to WooCommerce products, pages, and posts based on NFT ownership (ERC-721, ERC-1155) via the EthPress NFT Access Add-On. The plugin includes local signature verification and provides hooks for custom logic. |
| 2021-11-23 2021 | Hacking OAuth Applications intermediate 3 min read API Sec | Talk on "Hacking OAuth Applications" details common vulnerabilities within the OAuth 2.0 authorization framework. It highlights attacks exploiting the `state` parameter, redirect URI manipulation (including localhost and parameter pollution), and host header injection to steal access tokens or authorization codes. The talk also covers bypassing email verification for account impersonation and issues arising from improper session management post-logout. |
| 2021-11-03 2021 | Introducing CookieMonster: a tool for breaking stateless authentication intermediate 4 min read JWT | Tool for detecting and breaking stateless authentication in web applications. CookieMonster, written in Go, supports JWTs and session cookies from frameworks like Django, Flask, and Laravel. It can be used via its API in automation pipelines or its CLI for manual testing, and it offers a -resign option to modify cookie contents after unsigning. The tool is designed for high performance, enabling real-time scanning of thousands of requests per second. |
| 2021-10-25 2021 | What can I do with Open Redirect with OAuth? intermediate 2 min read | Technique detailing how open redirects in OAuth services or integrated applications can be exploited. The technique illustrates two scenarios: an open redirect in the OAuth service's `redirect_uri` parameter, allowing an attacker to capture the access token directly, and an open redirect within the company's application that is used in the `redirect_uri`, leading to a chained redirect to an attacker-controlled domain. The writeup provides a specific example involving a `TARGET` parameter for redirection. |
| 2021-10-14 2021 | These are the security issues with JWT beginner 4 min read JWT | Writeup on JWT security issues, detailing limitations like the inability to revoke tokens after issuance, leading to potential persistent access even after server-side permission changes. It highlights risks associated with client-side storage, such as XSS vulnerabilities when using localStorage or unprotected cookies, and discusses OWASP's recommendations for hardened cookies and CSRF countermeasures. The writeup emphasizes that JWTs are best suited for stateless applications and can be problematic for features requiring immediate logouts or dynamic permission adjustments. |
| 2021-10-10 2021 | New CS proposal: Avoiding password and sensitive shared data transmission #685 intermediate 2 min read Secrets | Cheat Sheet proposal detailing how to avoid transmitting passwords and sensitive shared data. This concept leverages HMAC to authenticate users without ever sending passwords to the server, mitigating transmission-based attacks. The objective is to educate developers that passwords need not leave the user's device for server-side validation, except for initial password generation. Related to transmission and server-side processing, this proposal complements existing password storage guidance and draws inspiration from IETF RFC 2104. |
| 2021-09-13 2021 | The Wonderful World of Tokens and Claims: CWT beginner JWT | The Wonderful World of Tokens and Claims: CWT |
| 2021-09-12 2021 | draft-ietf-oauth-rar-07 beginner 22 min read | Internet-Draft detailing OAuth 2.0 Rich Authorization Requests, introducing the `authorization_details` parameter. This parameter allows OAuth clients to specify fine-grained authorization requirements using JSON data structures, moving beyond the static and coarse-grained scope parameter. It supports requests for specific actions, datatypes, locations, identifiers, and privileges, enabling more precise consent for use cases like payment initiation and granular data access, as illustrated with examples for `payment_initiation` and `account_information` types. |
| 2021-09-07 2021 | CISA adds single-factor authentication to its catalog of 'Bad Practices' news 1 min read | Catalog entry detailing CISA's addition of single-factor authentication to its "Bad Practices" list. This entry highlights the inadequacy of single-factor authentication for remote or administrative access, contrasting it with CISA's recommended multi-factor authentication approach. The catalog also includes practices like using unsupported software and default credentials, and is open to community submissions for additional detrimental configurations. → therecord.media |
| 2021-07-19 2021 | Where to Store the JSON Web Token (JWT)? intermediate JWT | Storing JSON Web Tokens (JWTs) securely is crucial for application security. Common storage locations include HTTP-only cookies and browser local storage. HTTP-only cookies offer better protection against Cross-Site Scripting (XSS) attacks, as JavaScript cannot access them. Local storage, while convenient for client-side applications, is more vulnerable to XSS. Other options like session storage (cleared on tab close) and memory storage (lost on refresh) have their own trade-offs. The choice depends on the application's security requirements and the specific threat model. There is no mention of a bug bounty payout amount. |
| 2021-06-21 2021 | OAuth 2.0 Token Binding intermediate API Sec | OAuth 2.0 Token Binding enhances security by binding access tokens to the transport layer security (TLS) connection. This prevents tokens from being reused if intercepted, mitigating risks like token theft and replay attacks. By ensuring a token can only be used with the specific TLS session it was issued for, it strengthens the overall security posture of OAuth 2.0 deployments. This mechanism provides a crucial layer of defense against various attack vectors targeting token authentication. |
| 2021-05-24 2021 | Understanding SAML beginner 10 min read | Reference detailing SAML concepts, focusing on federated identity for web-based authentication. It explains the roles of Service Providers (SP) and Identity Providers (IdP), the SAML request and response mechanisms, and the asynchronous, browser-brokered authentication flow. The entry highlights key configuration elements like certificates and endpoints, and mentions the utility of open-source SAML toolkits for implementation, especially for ISVs supporting multiple IdPs. |
| 2021-05-14 2021 | The Right Way To Hash a Password or Create an Encryption Key: PBKDF2 bcrypt and scrypt beginner | This content discusses secure password hashing and encryption key generation using PBKDF2, bcrypt, and scrypt. These methods are designed to be computationally intensive, making brute-force attacks significantly harder. The article likely explains the strengths and weaknesses of each algorithm, guiding readers on choosing the most appropriate one for their security needs. The primary focus is on preventing unauthorized access by properly hashing sensitive data. No specific payout amounts are mentioned. |
| 2021-05-14 2021 | Creating an Authentication API with GolangUsing Gin & Nrok intermediate API Sec | This content likely details how to build an authentication API using Golang, the Gin web framework, and Nrok for local testing and exposure. It probably covers fundamental aspects of authentication API development, such as user registration, login, and potentially token management. The focus would be on practical implementation steps, demonstrating how to combine these technologies to create a functional and secure authentication system. No bug bounty payout amount is mentioned. |
| 2021-05-10 2021 | Kerberos Authentication and Kerberoasting Explained! intermediate | This content explains Kerberos authentication, a network authentication protocol widely used in Windows environments. It also details "Kerberoasting," a common cyberattack that exploits Kerberos. Attackers target Kerberos service accounts by requesting service tickets for accounts that are not human users but instead are service accounts. By then attempting to crack the password hashes of these service tickets offline, attackers can gain credentials for powerful service accounts, leading to potential system compromise. |
Frequently Asked Questions
- What is the difference between authentication and authorization?
- Authentication (authn) verifies who a user is — typically through passwords, tokens, certificates, or biometrics. Authorization (authz) determines what an authenticated user is allowed to do. The two are often conflated but rely on different mechanisms and fail in different ways. A correctly authenticated user can still be a victim of broken authorization, and vice versa.
- What are the most common authentication vulnerabilities?
- Common authentication flaws include credential stuffing, weak password policies, missing or bypassable multi-factor authentication, predictable session tokens, password reset poisoning, OAuth redirect_uri manipulation, SAML signature wrapping, and JWT algorithm confusion. Many real-world breaches start with authentication weaknesses rather than novel exploitation.
- Are passkeys actually more secure than passwords?
- Yes — passkeys use public-key cryptography bound to a specific origin, which eliminates phishing, credential stuffing, and password reuse attacks. The private key never leaves the user's device. Passkeys are based on the WebAuthn and FIDO2 standards and are now supported by major browsers, operating systems, and identity providers.
Weekly AppSec Digest
Get new resources delivered every Monday.