Security - Authentication Beginner 7 possible tests

Broken Authentication

Session management flaws: no token rotation, no expiry, session ID in URLs, and logout that does not invalidate server-side. Work through each step in order.

Live Session State

Pre-Login Session ID not created

Post-Login Session ID not logged in

Authenticated User anonymous

Session Created -

anonymous

What is Broken Authentication?

Broken authentication covers flaws in how sessions, tokens, and credentials are managed. Common issues include no session expiry, tokens that never rotate on login, predictable session IDs, and no re-authentication for sensitive actions.

What is hidden here

True Negative	Valid credentials accepted (correct behavior)
True Positive	Invalid credentials rejected with 401
Bug Found	Session ID not rotated after login - fixation risk
Bug Found	Session ID exposed in profile URL - visible in logs and browser history
Bug Found	Logout does not invalidate server-side session
Bug Found	Logged-out session ID still accepted - reuse attack possible
Bug Found	Session never expires - no inactivity timeout enforced

Test Flow - Work through steps 1 to 7 in order

STEP 1

Create Pre-Login Session

Simulate visiting the page as an anonymous user. Record the session ID - you will compare it to the post-login ID in Step 3.

POST /qa-sandbox/broken-auth/
action=init

STEP 2

Submit correct credentials. The session ID in the panel above should NOT change after login - that is the bug you will verify in Step 3.

USERNAME

PASSWORD

POST /qa-sandbox/broken-auth/
action=login username=admin password=password123 session_id=

STEP 3

Check Session Rotation

Compare the pre-login and post-login session IDs. A secure system rotates the ID on login to prevent session fixation attacks.

POST /qa-sandbox/broken-auth/
action=check-rotation pre_login_id= post_login_id=

STEP 4

Access Profile via URL Session ID

The profile endpoint accepts the session token as a URL query parameter. This leaks the token into browser history, server logs, and HTTP Referer headers.

GET /qa-sandbox/broken-auth/profile/?session_id=

STEP 5

Logout

Send a logout request. The server marks the UI state as logged out but does not delete or invalidate the server-side session object.

POST /qa-sandbox/broken-auth/
action=logout session_id=

STEP 6

Reuse Session After Logout

Send the same session ID that was just logged out. A secure system should reject it. This one does not.

POST /qa-sandbox/broken-auth/
action=check-session session_id=

STEP 7

Check Session Expiry

Verify whether the session has an inactivity timeout. A secure system should expire sessions after 30 minutes of inactivity.

POST /qa-sandbox/broken-auth/
action=check-expiry session_id=

All 7 tests work in Postman - use POST x-www-form-urlencoded for steps 1-3, 5-7
Step 1: action=init - copy the session_id from response
Step 2: action=login with username=admin, password=password123, session_id=
Step 3: action=check-rotation - pass pre_login_id and post_login_id - they will be the same
Step 4: GET /qa-sandbox/broken-auth/profile/?session_id= - token in URL is the bug
Step 5: action=logout with session_id=
Step 6: action=check-session after logout - session still accepted (bug)
Step 7: action=check-expiry - session has no timeout, valid indefinitely (bug)
In Postman: use environment variables to chain steps - save session_id with a test script: pm.environment.set("session_id", pm.response.json().session_id)