auth-sec

SKILL.md

Authentication and Authorization Router

This is the routing entry point for authentication, sessions, and authorization boundaries.

Use it to decide whether the issue is mainly login mechanics, object-level authorization, browser trust boundaries, or identity protocols such as OAuth/JWT/SAML before going deeper.

When to Use

The target includes login, registration, password reset, 2FA, sessions, JWT, OAuth, or SSO

You suspect object authorization flaws, cross-tenant access, cross-origin reads, CSRF, or protocol misconfiguration

You need to decide whether to test authentication or authorization first

Skill Map

Authentication Bypass: login bypass, password reset, 2FA, enumeration, brute-force protections

IDOR Broken Object Authorization: IDOR, BOLA, BFLA, missing object permissions

JWT OAuth Token Attacks: algorithm confusion, key trust issues, claim abuse, token forgery

OAuth OIDC Misconfiguration: redirect URI, state, nonce, PKCE, account binding

CSRF Cross Site Request Forgery: CSRF tokens, SameSite, JSON CSRF, login CSRF

CORS Cross Origin Misconfiguration: reflected Origin, credentialed cross-origin reads, allowlist bypass

SAML SSO Assertion Attacks: assertion wrapping, signature validation, audience, ACS boundaries

Recommended Flow

First confirm the authentication model and session boundaries

Then confirm object-level and function-level authorization

Then move to token, cross-origin, and protocol details

If enterprise federation exists, continue with OAuth, OIDC, or SAML topics

Related Categories

api-sec

Default credentials, username variants, wordlist sizing, and port focus are consolidated in authbypass-authentication-flaws