appsec.fyi

Authentication — A Practical Guide

A curated AppSec resource library covering XSS, SQLi, SSRF, IDOR, RCE, XXE, OSINT, and more.

Authentication: A Practical Guide

Curated and synthesized by . Last updated 2026-06-29. Synthesized from 200 of 200 curated resources. Browse all 200 Authentication resources →

Problem Framing

Authentication systems form the bedrock of application security, dictating who can access what. Yet, they are frequently the weakest link, targeted by attackers seeking unauthorized access, data exfiltration, and system compromise. The attack surface is broad, encompassing everything from credential handling and session management to the intricate protocols governing identity federation and delegated authorization. Modern applications rely on a complex tapestry of authentication mechanisms, including cookies, JSON Web Tokens (JWTs), Security Assertion Markup Language (SAML), and OAuth 2.0, each introducing its own set of vulnerabilities if not implemented with rigorous attention to detail. The consequences of authentication failures range from individual account takeovers to widespread system breaches, impacting user trust and organizational integrity. Understanding the evolving threat landscape and the underlying mechanics of these systems is paramount for practitioners seeking to build and maintain secure applications.

Core Mechanics

At their core, authentication systems aim to verify the identity of a user or service and grant them appropriate access. This typically involves a credential validation step, followed by the establishment of a trusted session.

Cookies remain a fundamental mechanism for maintaining user sessions in web applications. They store session identifiers, preferences, and authentication tokens. Their security is heavily influenced by flags such as Secure (ensuring transmission only over HTTPS), HttpOnly (preventing JavaScript access), and SameSite (mitigating Cross-Site Request Forgery). Insecure cookie policies, particularly those neglecting SameSite attributes, can expose applications to CSRF attacks [1]. Cross-Site Scripting (XSS) attacks can also lead to cookie theft, especially when cookies are transmitted over insecure HTTP without the Secure flag [1].

JSON Web Tokens (JWTs) have become a popular standard for securely transmitting information between parties as a JSON object. They are often used for authentication and information exchange. A JWT consists of three parts: a header, a payload, and a signature. The signature is crucial for verifying the token's integrity and authenticity. However, vulnerabilities arise from improper signature verification, such as algorithm confusion (e.g., treating a signed token as unsigned or using a weak signing algorithm), ignoring the signature entirely, or issues with JWT expiration time management [2]. Exploiting JWT signature verification flaws can allow attackers to forge tokens or impersonate legitimate users.

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between parties, particularly for Single Sign-On (SSO) between different security domains. SAML relies on assertions, which are XML documents containing claims about a user. Common vulnerabilities include XML Signature Wrapping (XSW) attacks, where an attacker crafts a malicious assertion that is valid according to XML parsing rules but invalid according to SAML processing rules, often bypassing signature validation [3][4]. Other risks include SAML message replay attacks by manipulating NotBefore and NotOnOrAfter attributes, and open redirect vulnerabilities within the RelayState parameter [3].

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Google Account or Facebook. It's commonly used for delegated authorization and identity federation. OAuth flows, such as the Implicit Grant Flow, Device Code Flow, and Resource Owner Password Credentials (ROPC) flow, can be abused. For instance, the Implicit Grant Flow, particularly in older Auth0 configurations, could lead to token leakage [5]. The Device Code flow is susceptible to phishing, where attackers lure users to malicious sites to log in, thereby capturing authorization codes that can be exchanged for access tokens [6]. Open redirect vulnerabilities are also prevalent in OAuth flows, allowing attackers to redirect users to malicious sites and potentially steal tokens. Improper scope enforcement can grant excessive permissions.

Multi-factor Authentication (MFA) adds a layer of security by requiring users to provide two or more verification factors to gain access. However, MFA is not infallible. Attackers employ various techniques to bypass it, including MFA prompt bombing (overwhelming users with login requests), social engineering to obtain One-Time Passwords (OTPs) or approve logins, brute-forcing MFA codes when rate limiting is weak, exploiting reusable MFA tokens, or leveraging flaws in recovery mechanisms like backup codes. Some attacks target the underlying protocols, such as exploiting vulnerabilities in WebAuthn (the standard behind FIDO2 and Passkeys) to steal credentials or forcing authentication downgrades [7][8][9].

Notable Techniques

The application security landscape is constantly evolving, with attackers developing increasingly sophisticated methods to bypass authentication controls.

Token-Based Attacks

JWTs are a prime target for attackers. Beyond basic signature verification flaws, more nuanced attacks emerge. For example, in pac4j-jwt, it's possible to forge tokens using only the server's RSA public key if the library improperly handles key retrieval [10]. Similarly, vulnerabilities in libraries like ruby-saml can be exploited to bypass SAML authentication. By manipulating XML parsing, attackers can achieve authentication bypass and account takeover, as seen in a GitLab vulnerability [11]. A critical vulnerability in Keycloak (CVE-2026-1529) allowed bypassing organization security by omitting JWT signature verification in the invitation flow, enabling self-registration into restricted organizations [12].

OAuth and SAML Exploitation

OAuth 2.0 remains a fertile ground for attacks. Beyond phishing with device codes, other vulnerabilities include improper redirect URI validation, leading to token leaks or open redirects [13]. Dynamic Client Registration (DCR) flaws can allow unauthorized client registration, and the lack of PKCE enforcement in the Authorization Code Grant Flow increases the risk of token theft [14][15]. In SAML, vulnerabilities such as XML Signature Wrapping (XSW) continue to be a threat, allowing attackers to inject malicious assertions and impersonate users [3][4]. Parser inconsistencies in SAML processing have also been exploited to bypass authentication on platforms like GitHub Enterprise Server [16]. Critical vulnerabilities have been found in products like Citrix NetScaler, where a memory overread in SAML IdP configurations has been actively exploited [17].

Session Management and Credential Exposure

Session fixation remains a persistent threat, where an attacker hijacks a valid user session by controlling the session ID before the user logs in [18]. This can be achieved through various means, including manipulating URL parameters, hidden form fields, cookies, or even HTTP headers. Stolen session tokens, often obtained via XSS or Man-in-the-Middle (MitM) attacks, can bypass MFA entirely, allowing attackers to hijack user sessions [19]. Furthermore, credential exposure continues to be a significant issue, particularly in cloud environments. AWS credentials can be exposed through environment variables, the Instance Metadata Service (IMDS), or misconfigurations in services like OIDC integration [20]. In the Microsoft ecosystem, access tokens for services like Microsoft Teams can be extracted from cookie files after decryption using DPAPI [21].

MFA and Passkey Bypass

While designed to enhance security, MFA and newer technologies like Passkeys are not immune to attack. Adversary-in-the-Middle (AiTM) attacks are a significant threat, automating the interception of OTPs and session tokens, effectively bypassing MFA [19]. Phishing-as-a-Service (PhaaS) kits have proliferated, specifically targeting MFA bypasses through sophisticated social engineering and technical means [6][8][9]. Passkeys, while inherently more phishing-resistant than traditional passwords, can still be vulnerable. Synced passkeys inherit risks from compromised cloud accounts and recovery processes [10]. Furthermore, malicious browser extensions can hijack WebAuthn requests, compromising passkey authentication [10]. Authentication downgrade attacks, often leveraging transparent proxies like Cloudflare Workers, can trick users into using less secure authentication methods [8][9].

AI and Supply Chain Risks

The increasing use of AI in development introduces new vectors for authentication vulnerabilities. AI-generated code may contain subtle flaws that traditional security tools might miss. Prompt injection in AI agents can also lead to authorization bypass if not properly constrained. Supply chain attacks, particularly those involving compromised SaaS integrations or the abuse of OAuth tokens from vendor breaches, represent a significant risk. These attacks can grant attackers persistent access to sensitive data and systems through trusted third-party applications [22].

Detection & Prevention

Effective detection and prevention of authentication-related vulnerabilities require a multi-layered approach, combining technical controls with robust processes.

Secure Coding Practices

Developers must adhere to secure coding practices throughout the software development lifecycle. This includes:

Proactive Threat Hunting and Monitoring

Continuous monitoring and threat hunting are critical for detecting and responding to authentication-related incidents.

Identity and Access Management (IAM) Strategies

A robust IAM strategy is fundamental.

Phishing and Social Engineering Defense

Given the prevalence of phishing attacks targeting credentials and MFA bypasses, user education and technical controls are essential.

Tooling

A variety of tools can assist practitioners in detecting, preventing, and remediating authentication vulnerabilities.

Recent Developments

The authentication landscape is dynamic, with new vulnerabilities and attack vectors emerging regularly. Recent developments highlight persistent weaknesses in established protocols and the emergence of new challenges.

Where to Go Deeper

To further your understanding and practice in application authentication security, consider the following resources:

Sources cited in this guide

  1. Exploiting insecure cookie policies — intigriti.com
  2. Top 3 security best practices for handling JWTs — snyk.io
  3. Common SAML vulnerabilities and how to remediate them — snyk.io
  4. IBM: What is XML Signature Wrapping? — ibm.com
  5. Exploiting Auth0 Defaults in XSS Attacks - elttam — elttam.com
  6. Analyzing the rise in device code phishing attacks in 2026 — pushsecurity.com
  7. CVE-2024-9956: Critical WebAuthentication Vulnerability in Chrome on Android — offsec.com
  8. IOActive: Authentication Downgrade / MFA Bypass — ioactive.com
  9. Proofpoint: FIDO Authentication Downgrade — proofpoint.com
  10. How Attackers Bypass Synced Passkeys — thehackernews.com
  11. Sign in as anyone: Bypassing SAML SSO authentication with parser differentials — github.blog
  12. CVE-2026-1529: Bypassing Keycloak Org Security — cvereports.com
  13. The Hacker Recipes: OAuth 2.0 — thehacker.recipes
  14. PortSwigger: OAuth 2.0 authentication vulnerabilities — portswigger.net
  15. Hunting Account Takeovers in the Wild West of MCP OAuth Servers" — blog.sicks3c.io
  16. The Fragile Lock: Novel Bypasses for SAML Authentication | PortSwigger Research — portswigger.net
  17. SAML rough quarter: Five critical vulnerabilities in four months — workos.com
  18. OWASP: Session fixation attack — owasp.org
  19. Bypassing MFA with OAuth Abuse: Pentesting SSO Flows — blog.nashtechglobal.com
  20. The many ways to obtain credentials in AWS — wiz.io
  21. Stealing Microsoft Teams access tokens in 2025 — blog.randorisec.fr
  22. Beyond credentials: weaponizing OAuth applications for persistent cloud access | Proofpoint US — proofpoint.com
  23. OWASP Top 10 A07: Identification and Authentication Failures — owasp.org
  24. OWASP Session Management Cheat Sheet — cheatsheetseries.owasp.org
  25. JWT (Json Web Token) Audience aud versus Client_Id - What's the difference? — stackoverflow.com
  26. OAuth 2.0 Course for Beginners — freecodecamp.org
  27. CISA adds single-factor authentication to its catalog of 'Bad Practices' — therecord.media
  28. PHP and OAuth: User Authentication and Authorization — reintech.io
  29. AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console — wiz.io
  30. When a Government Pulls an AI Model: What the Fable 5 and Mythos 5 Suspension Means for Security Teams — snyk.io
  31. Hacking OAuth Applications — speakerdeck.com
  32. Bug Bounty Bootcamp #45: Token? — infosecwriteups.com
  33. SSO Bypass: How Attackers Circumvent Single Sign-On (Obsidian) — obsidiansecurity.com
  34. Beyond the Patch: Understanding the SonicWall SSL-VPN MFA Bypass Exposure — infosecwriteups.com
  35. From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover — wiz.io
  36. I Simulated an SSH Brute-Force Attack on My Ubuntu Server — Here’s How Fail2Ban Stopped It — infosecwriteups.com
  37. How to Implement OAuth 2.0 Login for Python Flask Web Server Applications — atrium.ai
  38. CVE-2026-34457 Detail (OAuth2 Proxy) - NVD — nvd.nist.gov
  39. OAuth2-Proxy Authentication Bypass (CVE-2025-54576) — zeropath.com
  40. ServiceNow's Virtual Agent Vulnerability Shows Why AI Security Needs Traditional AppSec Foundations — snyk.io
  41. Authentication bypass vulnerabilities in TeamCity: everything you need to know — wiz.io
  42. SSO Protocol Security: Critical Vulnerabilities in SAML, OAuth, OIDC, JWT (2025) — guptadeepak.com
  43. CVE-2025-34291: Langflow ATO + RCE — obsidiansecurity.com
📚 This guide is synthesized from the full text of resources curated in the Authentication library, and refreshed as new material is added.