Authentication - Learning

The Portswigger Web Academy

In the Portswigger Web Academy you'll find the theoretical information and explanation, then you'll find a challenge, make sure to understand the information before you start the challenge.
The theoretical information is such important as the challenge or practical part.
Take your notes they are very important.
Try to do everything by yourself, but remember that we are learning so feel free to see the solution and follow it, you'll learn a lot
You are going to need Burpsuite, find the way to install it and research how to use it, the Academy will teach you how to use some functionalities of the tool. I recommend this video if you need some introduction: Burpsuite Basics (FREE Community Edition)
Google is your friend.

You now know:

What is Authentication.
The difference between authentication and authorization.
How do authentication vulnerabilities arise.
The impact of vulnerable authentication.
Vulnerabilities in password-based login.
Brute-force attacks (passwords and usernames).
User enumeration.
How to do an intruder sniper attack in Burpsuite.
How to do an intruder pitchfork attack in Burpsuite.
How to do an intruder cluster bomb attack in Burpsuite.
How use Grep - Extract in an intruder attack in Burpsuite.
How to bypass an IP-based brute-force protection using the X-Forwarded-For header.
How to use the session handling rule editor.
Use a macro in Burpsuite.
Use the decoder.
How to enumerate users via an account lock.
Send multiple credentials per request.
How HTTP basic authentication works.
What are multi-factor authentication vulnerabilities.
Bypass a two-factor authentication.
Exploit a flawed two-factor verification logic.
Bypass a 2FA authentication using a brute force attack.
Brute-force a cookie to stay login.
Exploit a reset password functionality.
Reset a password poisoning.
Exploit the change password functionality.