RC RANDOM CHAOS

authentication-bypass

2 posts

Victim types the password, attacker keeps the token
Article

Victim types the password, attacker keeps the token

CVE-2023-4714 session fixation (CWE-384) explained: how attackers plant a session ID, bypass MFA, what fires in telemetry, and why rotation alone is not enough.

The login page was never the boundary
Article

The login page was never the boundary

Cisco's CVSS 9.8 IMC authentication bypass shows why perimeter-based identity fails: when reachability equals admin, the network is the credential.