陌讯skills聚合平台

pentest-authentication-authorization-review

📁 crtvrffnrt/skills 📅 9 days ago
10
总安装量
10
周安装量
#29637
全站排名
安装命令
npx skills add https://github.com/crtvrffnrt/skills --skill pentest-authentication-authorization-review

Agent 安装分布

gemini-cli 10
amp 8
github-copilot 8
codex 8
kimi-cli 8
opencode 8

Skill 文档

Authentication & Authorization Review

Activation Triggers (Positive)

  • auth
  • session
  • token
  • mfa
  • idor
  • bola
  • bfla
  • privilege escalation
  • tenant isolation

Exclusion Triggers (Negative)

  • recon only
  • injection fuzzing only
  • write report only

Output Schema

  • Access-control matrix: actor, resource, action, expected, observed
  • Session/token lifecycle findings: issued, replayed, revoked, result
  • Confirmed boundary breaks with attacker capability statement

Instructions

  1. Define identity roles and expected permissions before testing.
  2. Validate both horizontal and vertical boundaries with paired-role comparisons.
  3. Test session and token invalidation across interfaces and time windows.
  4. Confirm authorization at object, function, and workflow levels.
  5. Distinguish authentication weakness from authorization weakness in output.
  6. Escalate only confirmed boundary failures into exploit chaining.

Should Do

  • Use explicit role-to-action test cases.
  • Capture full evidence for accepted and denied control paths.
  • Verify revocation behavior, not just issuance behavior.

Should Not Do

  • Do not infer access-control findings from UI behavior alone.
  • Do not conflate missing data with denied access.
  • Do not mark privilege escalation without deterministic proof of crossed boundary.
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。