Link to this headingWeb Authentication and Authorization

Link to this headingWebAuthn

[More Info](/Web Exploitation/Auth/WebAuthn.md)

Link to this headingSession Cookies

Should be marked httpOnly/Secure, for extra security use SameSite attribute and Host.

Link to this headingSecurity Headers

Strict-Transport-Security header
Everything you need to know about HTTP security headers

Link to this headingAPIs

Use a bearer token.
Enforce TLS and revoke token that is not over HTTPS.

• If you go with OpenID/Oauth for client sign-ins then require https callbacks and provide scoped permissions.

Link to this headingAccount Takeover

• Use a Unicode version of an email to test the account info
• Allow the Reset Link to be reused
• Make an account with the same email address to prejack a account if they use OAUTH to login in to an account.
• Test if the Host, Referrer, X-Forwarded-For and Origin headers change the domain of the password reset

Link to this headingOPKSSH

https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating-single-sign-on-with-ssh/