pentest-authentication-authorization-review

Security assessment skill for authentication and authorization controls. Use when prompts include session handling, token abuse, MFA weaknesses, account takeover, IDOR/BOLA/BFLA, privilege escalation, tenant isolation, or identity boundary validation. Do not use when the task is generic recon, pure parser fuzzing, or final report composition only.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-authentication-authorization-review" with this command: npx skills add crtvrffnrt/skills/crtvrffnrt-skills-pentest-authentication-authorization-review

Authentication & Authorization Review

Activation Triggers (Positive)

  • auth
  • session
  • token
  • mfa
  • idor
  • bola
  • bfla
  • privilege escalation
  • tenant isolation

Exclusion Triggers (Negative)

  • recon only
  • injection fuzzing only
  • write report only

Output Schema

  • Access-control matrix: actor, resource, action, expected, observed
  • Session/token lifecycle findings: issued, replayed, revoked, result
  • Confirmed boundary breaks with attacker capability statement

Instructions

  1. Define identity roles and expected permissions before testing.
  2. Validate both horizontal and vertical boundaries with paired-role comparisons.
  3. Test session and token invalidation across interfaces and time windows.
  4. Confirm authorization at object, function, and workflow levels.
  5. Distinguish authentication weakness from authorization weakness in output.
  6. Escalate only confirmed boundary failures into exploit chaining.

Should Do

  • Use explicit role-to-action test cases.
  • Capture full evidence for accepted and denied control paths.
  • Verify revocation behavior, not just issuance behavior.

Should Not Do

  • Do not infer access-control findings from UI behavior alone.
  • Do not conflate missing data with denied access.
  • Do not mark privilege escalation without deterministic proof of crossed boundary.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

pentest-exploit-execution-payload-control

No summary provided by upstream source.

Repository SourceNeeds Review
15-crtvrffnrt
General

pentest-business-logic-abuse

No summary provided by upstream source.

Repository SourceNeeds Review
13-crtvrffnrt
General

pentest-gemini-az

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt
General

pentest-input-protocol-manipulation

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt