Authentication Bugs
// 6 bugs
Bugs in login, logout, password reset, session management, tokens, and multi-factor flows.
// Why it matters
Authentication bugs let attackers access accounts they shouldn't. Session tokens not expiring after logout, credentials staying valid after a password change, or MFA codes that can be reused are high and critical severity issues that appear in real apps and in every QA interview.
// Common symptoms
- User can access protected pages after logging out
- Old access token still works after a password change
- Login succeeds with incorrect credentials after multiple attempts
- Session stays active after the account is disabled
- MFA code can be submitted a second time
- Password reset link works more than once
// Bugs in this category
Showing 6 of 6 bugs
When a user logs out, their session token or authentication cookie should be invalidated server-side. If the server only clears client-side state but does not revoke the session, the old token continues to work β allowing the user, or anyone who obtained the token, to access protected resources after logout.
A password reset link contains a one-time token that should be invalidated immediately after the password is changed. If the token is not marked as used, anyone with access to the original reset link β via email forwarding, a shared inbox, or a previously intercepted email β can trigger another password reset and take over the account.
The login endpoint POST /api/auth/login accepts an unlimited number of credential attempts per client with no rate limiting, no account lockout, and no CAPTCHA. An attacker can automate thousands of password guesses per minute against any account without triggering any throttle or block.
A TOTP one-time code used to complete an MFA login can be submitted again in a second login attempt within the same 30-second validity window and still passes verification. The server validates the code against the current time window but does not record that this specific code has already been consumed, allowing an attacker who intercepted the code to replay it.
When a user requests a second password reset link, the server issues a new token without invalidating the first one. Both tokens remain valid until they expire or are used. An attacker who previously captured the first reset email β via phishing, a shared inbox, or forwarded mail β can still use that token to take over the account even after the user issued a fresh request.
A JSON Web Token's payload contains sensitive information β full personal data, internal flags, or secrets. Because a JWT is signed but not encrypted, anyone holding the token can decode and read the payload, so anything placed there is effectively exposed to the client and to anyone who captures the token.
// Explore other categories
Permission and Authorization Bugs
Bugs where users can access, edit, delete, or view resources they shouldn't be allowed to.
API Bugs
Bugs in HTTP status codes, request validation, response schemas, error messages, and API contracts.
UI and Frontend Bugs
Bugs affecting layout, forms, responsiveness, error messages, and how the interface behaves across browsers and screen sizes.
Data Bugs
Bugs involving incorrect, duplicated, stale, missing, or inconsistent data across the application.
Payment Bugs
Bugs in checkout flows, payment retries, webhooks, refunds, subscriptions, and invoices.
Time and Date Bugs
Bugs caused by timezone mismatches, daylight saving transitions, date range errors, and locale differences.
Search and Filter Bugs
Bugs in search results, filters, pagination, sorting, and result counts.
File Upload Bugs
Bugs in file type validation, size limits, upload progress, storage, and file preview.
Notification Bugs
Bugs in email delivery, push notifications, in-app alerts, webhooks, and notification preferences.
// Practise finding these bugs
Hunt authentication bugs hands-on in a live practice app, then check your findings against the seeded-bug answer guide.