Authentication

Overview

Vulnerabilities in password-based login

Brute-force attacks

Username enumeration

Flawed brute-force protection

Account locking

User rate limiting

HTTP basic authentication

Vulnerabilities in multi-factor authentication

Two-factor authentication tokens

Bypassing two-factor authentication

Flawed two-factor verification logic

Brute-forcing 2FA verification codes

2FA Ideas

Vulnerabilities in other authentication mechanisms

Keeping users logged in

Online VS Offline password cracking

Resetting user passwords

Resetting passwords using a URL - Continued

Changing user passwords

Main Ideas

How to secure your authentication mechanisms

Bug Bounty

$1600 Bounty on a Main Domain

Breaking the Barrier: Admin Panel Takeover Worth $3500

Bypass Two-Factor Authentication of Facebook Accounts ($25,300)

Instagram account is reactivated without entering 2FA ($500)

Weird functionality leads to Account Takeover (Millions of Users affected)