Authentication-Based Vulnerabilities

Session Hijacking

Session hijacking can be performed in numerous ways if the session ID is not secured correctly:

Predicting Session Tokens: can be used if session IDs are non-predictable tokens.
Session Sniffing: packets collected from unencrypted web sessions.
On-Path Attack

Redirect Attacks

Unvalidated redirects/forwards can be exploited when a server accepts untrusted input from a user. This could cause the server to redirect the request to a URL controlled by the attacker. Its also possible to use these vulnerabilities to craft a special URL that can bypass application access control checks.

Default Credentials

Many organiations and individuals do not change the default password of their infrastructure devices. These can be easily identified and accessed by attackers, some modern manufacturers require users to change the default password during initial setup. Default passwords can be found in product documentation, or on publicly compiled lists like DefaultPassword.

Last updated 29 days ago