Common authentication attack types explained
brute force attacks, credential stuffing, phishing, session hijacking, CSRF, replay attacks, rate limiting as defense
Know Your Attacker
Before you build defenses, know what you are defending against. Most auth vulnerabilities fall into a small number of attack categories.
Attacks on Credentials
Brute force โ an attacker tries thousands of password guesses against one account. Defense: rate limiting and account lockout.
Credential stuffing โ an attacker takes username/password pairs leaked from another breach and tries them on your site. Most people reuse passwords. Defense: rate limiting, breach detection APIs, MFA.
Phishing โ a fake login page tricks users into submitting real credentials. Defense: HTTPS, security keys (WebAuthn), user education.
Attacks on Sessions
Session hijacking โ an attacker steals a valid session cookie (via XSS or network sniffing) and impersonates the user. Defense: Secure and HttpOnly cookie flags, HTTPS, short session lifetimes.
CSRF (Cross-Site Request Forgery) โ a malicious site tricks the user's browser into making authenticated requests to your site. Defense: CSRF tokens, SameSite cookie attribute.
Replay attacks โ an attacker captures a valid token and re-sends it later. Defense: short token expiry, token invalidation on use.
Each module in this course introduces the specific defenses relevant to that topic. Understanding the attack model first makes those defenses obvious rather than arbitrary.