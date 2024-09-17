Login page security vulnerabilities are more common than you might think. In the login process for many websites and applications, an additional verification safeguard extends the traditional username/password step for increased security. Imagine a two-step login flow. In the first step, the site asks you for a username and password combination. If you enter these credentials correctly, then the second step asks you to answer a security question (which you specified when you first set up your account).

This second step is typically built from a page view template that inserts the security question based on the user who has successfully completed the first step. The entire two-step login flow basically works like this:

Alice visits the login page at https://www.example.com/login.

Alice submits a username and password combination.

The server verifies the submitted credentials.

Because the credentials were correct, the server redirects the browser to the follow-up page at https://www.example.com/login2, including a unique token in the request header to verify that Alice has passed the first step of the login flow.

The server renders this page based on a template, inserting the fetched security question for Alice, alongside the text input for a response and a submit button.

Alice submits the response to her security question.

The server verifies that Alice answered her security question correctly and then logs her in.

Let’s focus on that second page of the flow, at https://www.example.com/login2. Imagine what might happen if you visited that page directly in your browser, without going through the first step.

In one scenario, it’s possible that the server checks to see if there is no valid token in the request header (meaning you did not successfully pass the first step of the login flow), and it simply redirects you back to https://www.example.com/login in order to start over.

However, in another possible scenario, the server still renders the page based on the template. Unable to find a corresponding security question for the user (since there’s no token that tells the server which halfway-authenticated user this is), the resulting page might look like this: