// recon knowledge base

ReconAtlas  /  checklists  /  auth-testing

Authentication Testing

Testing HIGH v1.0.0 updated 2026-04-04

Test authentication mechanisms for broken access control, JWT vulnerabilities, IDOR, insecure password reset flows, and OAuth misconfigurations.

Tools

burpsuitejwt_toolffufnucleioauthscan

Machine-readable JSON available at:

https://reconatlas.pages.dev/api/checklists/auth-testing

Tags

testingauthenticationauthorizationjwtidoroauthbroken-access-control

// checklist steps

auth-01

Map authentication surfaces

Identify all authentication-related endpoints before testing begins.

cat all-urls.txt | grep -iE '(login|signin|auth|token|oauth|sso|saml|password|reset|register|signup)'
nuclei -l live-hosts.txt -t exposures/configs/ -t default-logins/ -o nuclei-auth.txt

Include logout, session invalidation, and MFA endpoints in your map.

auth-02

JWT analysis and attacks

Decode and test JWT tokens for algorithm confusion, weak secrets, and claim tampering.

# Decode and inspect
jwt_tool <token> -T
# Test alg:none
jwt_tool <token> -X a
# Test RS256 -> HS256 confusion
jwt_tool <token> -X k -pk public.pem
# Brute-force HMAC secret
jwt_tool <token> -C -d /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

Check for long-lived tokens with no expiry claim. Test whether revoked tokens are still accepted.

auth-03

IDOR and broken object-level authorisation

Test whether object identifiers can be substituted to access another user's resources.

# Capture a request with an object ID, then replace it with another user's ID
# Use Burp Repeater or Turbo Intruder for systematic enumeration
ffuf -u 'https://target.com/api/users/FUZZ/profile' -w ids.txt -H 'Authorization: Bearer <token>' -mc 200

Test numeric IDs, UUIDs, email addresses, and username-based identifiers. Horizontal and vertical privilege escalation are both in scope.

auth-04

Password reset flow analysis

Test the password reset process for predictable tokens, host header injection, and race conditions.

# Capture reset request, check token entropy
# Test Host header injection in reset email
curl -s -X POST https://target.com/forgot-password -d 'email=victim@example.com' -H 'Host: attacker.com'
# Test token reuse and expiry

Check whether reset tokens are single-use, time-limited, and invalidated after password change.

auth-05

OAuth 2.0 misconfiguration testing

Test OAuth flows for open redirects, state fixation, PKCE bypass, and token leakage.

# Check redirect_uri validation
curl 'https://target.com/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=https://attacker.com'
# Test missing state parameter
# Check implicit flow token leakage in Referer headers

Verify that the state parameter is validated and that redirect_uri is strictly whitelisted, not prefix-matched.

Overview

Authentication and authorisation flaws consistently rank among the highest-severity findings in bug bounty programmes. A single broken access control vulnerability can lead to full account takeover or mass data exposure.

Testing mindset

Test each authentication mechanism in isolation, then test interactions between them. A secure login flow can still be undermined by a flawed password reset or a JWT signed with a weak secret.

Common high-impact findings

  • JWT alg:none / algorithm confusion — remote authentication bypass
  • IDOR with predictable IDs — access to any user’s data
  • Host header injection in reset email — account takeover without any interaction
  • OAuth redirect_uri bypass — code/token theft via open redirect
  • Missing MFA on privileged endpoints — step-up auth not enforced

// references

  1. https://portswigger.net/web-security/oauth
  2. https://portswigger.net/web-security/jwt
  3. https://github.com/ticarpi/jwt_tool
  4. https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
  5. https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/
← All checklists JSON ↗