After this lesson, you will be able to: Test authentication and session management with Burp: analyze cookies and tokens, find IDOR, test password-reset flows and session fixation, and analyze JWTs (including the alg:none vulnerability).
Authentication and session handling are where many real breaches start. This lesson uses Burp to analyze login requests, cookies, and tokens, find insecure direct object references (IDOR), test reset flows and session fixation, and pull apart JWTs.
Intercept a login and identify the username and password parameters and how they are sent. Then study the session cookie set on success: is it HttpOnly (JavaScript cannot read it) and Secure (HTTPS only)? From an attacker's view, a missing HttpOnly flag means an XSS can steal the session; a missing Secure flag means it can leak over HTTP. Burp shows these flags in the Set-Cookie header.
Insecure Direct Object Reference means the app trusts a client-supplied identifier without checking ownership. In Burp, find a request like GET /api/account?id=123, send it to Repeater, and change the id to 124. If you get another user's data, that is IDOR. It is one of the most common and impactful findings because it is easy to introduce and easy to exploit. The Autorize extension automates this at scale (covered later).
Test reset flows for predictable tokens (are they sequential or guessable?), token reuse (does an old token still work?), and host header injection (can you change the Host header so the reset link in the email points to your server?). For session fixation, check whether the session token changes after login: if the pre-login token is still valid afterward, an attacker who planted it can ride the authenticated session.
A JSON Web Token has three Base64 parts: header, payload, signature. Decode them in Burp's Decoder to read the claims and the algorithm. The classic attack is alg:none: change the header's algorithm to 'none', remove the signature, and see whether the server accepts the unsigned token (a naive implementation does, letting you forge any identity). The JWT Editor extension (BApp Store) automates these attacks, including key confusion.
Use PortSwigger Web Security Academy labs.
1. Complete the 'Exploiting an API endpoint using documentation' lab: read the API docs, find an endpoint, and manipulate it in Repeater.
2. Complete an IDOR lab from the access-control series: change an identifier in a request and access another user's resource.
3. For each, write one sentence on the root cause (missing ownership check) and the fix (server-side authorization on every object access).
Pick one.
Assuming a missing HttpOnly flag is harmless. Testing IDOR only on numeric IDs and missing UUIDs/usernames in other parameters. Forgetting host header injection in reset flows. Not checking whether the session token rotates on login (session fixation). Trusting a JWT's claims without testing the signature. Forgetting that the fix for IDOR is server-side authorization, not obscuring the IDs.
Sign in and purchase access to unlock this lesson.