Module 05 — Authentication & Access Control

Icon: Lock   |   Colour: Yellow

Overview

Tests for broken authentication, session management weaknesses, insecure CORS configuration, IDOR, CSRF gaps, and admin path exposure.

How It Works

1. Default credentials — tests 13 common username/password pairs (e.g. admin/admin, admin/password) against discovered login forms.
2. Rate limiting — sends 20 rapid login attempts to check for brute-force protection.
3. CORS origin testing — sends five different Origin headers (arbitrary, null, subdomain, etc.) to detect misconfigured cross-origin policies.
4. IDOR testing — modifies resource IDs to adjacent values to detect insecure direct object references.
5. CSRF token scanning — checks forms for the presence of anti-CSRF tokens.
6. Admin path probing — tests 16 common admin paths (e.g. /admin, /dashboard, /wp-admin) for unauthorised access.

Expected Findings

Finding	Severity
Default credentials accepted	Critical
CORS allows arbitrary origin	High
IDOR detected	High
CORS wildcard with credentials	High
Missing CSRF protection	Medium
No rate limiting on login	Medium
CORS accepts null origin	Medium
HTTP method override possible	Medium

Related CWEs

• CWE-798: Use of Hard-coded Credentials
• CWE-307: Brute Force
• CWE-942: Overly Permissive CORS Policy
• CWE-639: Insecure Direct Object Reference
• CWE-352: Cross-Site Request Forgery
• CWE-306: Missing Authentication