Auth Attack Vectors — How Authentication Gets Broken
Understanding CSRF, session fixation, token theft, brute force, and credential stuffing, and how to defend against each
You've built your authentication system. Tokens are stored in httpOnly cookies. MFA is enabled for admin accounts. API keys are hashed and scoped. Everything works. Now let's try to break it.
Understanding how attackers target authentication isn't about becoming a hacker. It's about seeing your own code through an adversary's eyes. Every defense we've discussed in this module — short-lived tokens, PKCE, sameSite cookies — was created in response to a specific attack technique. Knowing the attacks helps you understand why the defenses matter and recognize when they're missing.
CSRF — Cross-Site Request Forgery
CSRF exploits the fact that browsers automatically send cookies with every request to a domain, regardless of which site initiated the request.
The attack: You're logged
This lesson is part of the Guild Member curriculum. Plans start at $29/mo.