Authentication Testing Skill

Comprehensive authentication testing framework for authorized penetration testing engagements. Tests signup flows, login mechanisms, 2FA/OTP handling, CAPTCHA implementations, and bot detection systems using Playwright automation.

Quick Start

Authentication Testing Workflow:
- [ ] Verify authorization and scope
- [ ] Initialize Playwright browser session
- [ ] Test signup flow (account creation)
- [ ] Test login mechanism (authentication)
- [ ] Test 2FA/OTP bypass vectors
- [ ] Test CAPTCHA implementation
- [ ] Test bot detection evasion
- [ ] Document findings and evidence

When to Use

Invoke during authorized penetration testing when testing:

• Authentication and authorization controls
• Account creation and registration flows
• Multi-factor authentication (MFA/2FA) implementations
• CAPTCHA and anti-bot protections
• Session management and token handling
• Behavioral biometrics and bot detection

Core Workflows

Workflow 1: Account Registration Testing

Objective: Test signup flows and account creation mechanisms

Steps:
1. Navigate to registration page
2. Analyze form fields and validation
3. Test with valid credentials
4. Test with random/generated data
5. Check for verification requirements
6. Document registration vulnerabilities

Common Test Vectors:

• Email verification bypass
• Weak password policy
• Missing rate limiting
• Duplicate account creation
• Parameter manipulation

See SIGNUP_TESTING.md for detailed techniques.

Workflow 2: Login Mechanism Testing

Objective: Test authentication flows and credential validation

Steps:
1. Navigate to login page
2. Test with valid credentials
3. Test credential reuse
4. Check session handling
5. Test account enumeration
6. Analyze authentication tokens

Test Scenarios:

• Broken authentication
• Session fixation
• Insecure session management
• Account enumeration
• Timing attacks

See LOGIN_TESTING.md for comprehensive guide.

Workflow 3: 2FA/OTP Bypass Testing

Objective: Test multi-factor authentication implementations

Steps:
1. Enable 2FA on test account
2. Trigger OTP/2FA code generation
3. Test bypass vectors:
   - Response manipulation
   - Direct endpoint access
   - Code reusability
   - Brute force (rate limiting)
   - Predictable code generation
   - Session persistence
4. Document findings

Bypass Techniques:

• Response manipulation (status code changes)
• OTP parameter removal
• Direct API endpoint access
• Code reuse without expiration
• Brute force 4-digit codes
• Session hijacking pre-2FA

See 2FA_BYPASS.md for all techniques.

Workflow 4: CAPTCHA Testing

Objective: Test CAPTCHA implementation and bypass vectors

Steps:
1. Identify CAPTCHA type (reCAPTCHA, hCaptcha, image-based)
2. Test bypass techniques:
   - Missing server-side validation
   - Parameter removal
   - Reusable tokens
   - Empty field submission
   - HTTP header manipulation
   - Content-type conversion
   - Request method modification
3. Test OCR/automation (if image-based)
4. Document weaknesses

CAPTCHA Types:

• Google reCAPTCHA v2/v3
• hCaptcha
• Image-based puzzles
• Text-based challenges
• Behavioral CAPTCHAs

See CAPTCHA_BYPASS.md for detailed methods.

Workflow 5: Bot Detection Evasion

Objective: Test behavioral biometrics and anti-bot systems

Steps:
1. Identify bot detection mechanisms
2. Simulate human behavioral patterns:
   - Mouse movements (natural curves, pauses)
   - Keystroke dynamics (varied timing)
   - Scroll patterns (realistic acceleration)
   - Touch interactions (mobile)
   - Random delays between actions
3. Test detection bypass:
   - User-Agent rotation
   - Fingerprint randomization
   - Browser automation detection evasion
   - Behavioral biometric mimicry
4. Measure detection rates

Detection Systems:

• Behavioral biometrics
• Canvas fingerprinting
• WebGL fingerprinting
• Browser automation detection
• Mouse/touch pattern analysis

See BOT_DETECTION.md for evasion techniques.

Playwright Integration

CRITICAL: Use Playwright MCP server for all browser automation.

Initialize Browser

// Navigate to target
await playwright_navigate({ url: "https://target.com/login" });

// Take snapshot
await playwright_snapshot();

Human-Like Interactions

// Natural mouse movement to element
await playwright_hover({
  element: "username field",
  ref: "input#username"
});

// Realistic typing with delays
await playwright_type({
  element: "username field",
  ref: "input#username",
  text: "testuser",
  slowly: true  // Types one character at a time
});

// Random delay (50-150ms)
await playwright_evaluate({
  function: "() => new Promise(r => setTimeout(r, Math.random() * 100 + 50))"
});

Capture Evidence

// Screenshot before action
await playwright_take_screenshot({
  filename: "before-login.png"
});

// Perform action
await playwright_click({
  element: "login button",
  ref: "button[type='submit']"
});

// Screenshot after action
await playwright_take_screenshot({
  filename: "after-login.png"
});

// Check console for errors
await playwright_console_messages({ level: "error" });

// Check network requests
await playwright_network_requests();

Behavioral Biometrics Simulation

Mouse Movement Patterns

// Simulate natural mouse trajectory
function simulateNaturalMovement(start, end, steps = 50) {
  const points = [];
  for (let i = 0; i <= steps; i++) {
    const t = i / steps;
    // Add Bezier curve for natural path
    const x = start.x + (end.x - start.x) * easeInOutQuad(t);
    const y = start.y + (end.y - start.y) * easeInOutQuad(t);
    // Add slight randomness
    const noise = {
      x: (Math.random() - 0.5) * 2,
      y: (Math.random() - 0.5) * 2
    };
    points.push({ x: x + noise.x, y: y + noise.y });
  }
  return points;
}

Keystroke Dynamics

// Variable typing speed (80-200ms between keys)
async function typeWithHumanTiming(text, element) {
  for (const char of text) {
    await playwright_type({
      element: element,
      ref: elementRef,
      text: char,
      slowly: true
    });
    // Random delay between keystrokes
    const delay = 80 + Math.random() * 120;
    await sleep(delay);
  }
}

Scroll Behavior

// Natural scrolling with acceleration/deceleration
await playwright_evaluate({
  function: `() => {
    window.scrollTo({
      top: ${targetY},
      behavior: 'smooth'
    });
    // Add micro-pauses during scroll
    return new Promise(resolve => {
      setTimeout(resolve, 500 + Math.random() * 500);
    });
  }`
});

OTP/Email Handling

Access Email for 2FA Codes

Requirements:

• Email access (IMAP, API, or test email service)
• OTP extraction pattern matching

# Example: Extract OTP from email
import imaplib
import re

def get_otp_from_email(email, password, from_address):
    mail = imaplib.IMAP4_SSL('imap.gmail.com')
    mail.login(email, password)
    mail.select('inbox')

    # Search for recent emails from service
    _, messages = mail.search(None, f'FROM "{from_address}"')

    # Get latest email
    latest_email_id = messages[0].split()[-1]
    _, msg = mail.fetch(latest_email_id, '(RFC822)')

    # Extract OTP (6-digit code pattern)
    body = msg[0][1].decode('utf-8')
    otp_match = re.search(r'\b\d{6}\b', body)

    return otp_match.group(0) if otp_match else None

Note: For testing, use disposable email services or dedicated test accounts.

Common Authentication Vulnerabilities

Critical Findings

Broken Authentication:

• Weak password policies
• Credential stuffing vulnerabilities
• Session fixation
• Insecure password reset

2FA Bypass:

• Missing server-side validation
• Predictable OTP codes
• Code reusability
• Direct endpoint access

CAPTCHA Bypass:

• Client-side only validation
• Reusable tokens
• Missing rate limiting
• OCR-vulnerable images

Bot Detection Bypass:

• Weak behavioral checks
• Fingerprint detection failures
• Automation detection bypass

Output Format

outputs/authenticating/<target>/
├── signup/
│   ├── account_created.json
│   ├── registration_flow.md
│   └── evidence/
│       ├── signup-form.png
│       └── email-verification.png
├── login/
│   ├── session_tokens.json
│   ├── authentication_flow.md
│   └── evidence/
├── 2fa/
│   ├── bypass_attempts.json
│   ├── otp_codes.txt
│   └── evidence/
├── captcha/
│   ├── bypass_methods.json
│   ├── captcha_tokens.txt
│   └── evidence/
└── findings/
    ├── vulnerabilities.json
    ├── authentication_report.md
    └── poc_scripts/

Testing Checklist

Pre-Test

• Scope defined and documented
• Test accounts created (not real users)
• Playwright MCP server configured
• Email access configured (for OTP)

During Test

• Signup flow tested
• Login mechanism tested
• 2FA bypass vectors tested
• CAPTCHA implementation tested
• Bot detection tested
• Session management tested
• Evidence captured (screenshots, network logs)

Post-Test

• Findings documented
• PoC scripts created
• Vulnerabilities categorized (CVSS)
• Remediation recommendations provided
• Test accounts cleaned up

Tools & Resources

Playwright MCP – Browser automation Email APIs – OTP extraction (IMAP, Gmail API, test services) Proxy/VPN – IP rotation for rate limit testing OCR Tools – Image-based CAPTCHA solving Fingerprint Generators – Canvas/WebGL randomization

Remediation Guidance

For Defenders:

• Implement server-side validation for all authentication steps
• Use strong CAPTCHA (reCAPTCHA v3 with scoring)
• Implement rate limiting on authentication endpoints
• Use cryptographically secure OTP generation
• Enforce OTP expiration and one-time use
• Implement behavioral biometrics with ML
• Monitor for automation patterns
• Use device fingerprinting
• Implement account lockout policies

Legal & Ethical Considerations

Authorization Documentation:

• Maintain written permission for all testing
• Document scope boundaries
• Log all testing activities
• Report findings responsibly

Test Account Management:

• Create dedicated test accounts if necessary
• Clean up test accounts after testing
• Minimize data exposure

Responsible Disclosure:

• Report findings to system owner
• Allow reasonable remediation time
• Follow coordinated disclosure timeline
• Respect confidentiality agreements

Troubleshooting

Playwright not connecting: Verify MCP server running and configured CAPTCHA always failing: May have strong bot detection, try behavioral simulation 2FA codes not received: Check email configuration and spam folder Bot detection triggering: Increase delays, use better behavioral patterns Session persistence issues: Clear cookies between test runs

References

• CAPTCHA Bypass Techniques
• 2FA Bypass Methods
• Behavioral Biometrics Research
• Bot Detection in 2026
• Pentesting 2FA

For detailed techniques, see reference/ directory:

• SIGNUP_TESTING.md
• LOGIN_TESTING.md
• 2FA_BYPASS.md
• CAPTCHA_BYPASS.md
• BOT_DETECTION.md
• BEHAVIORAL_BIOMETRICS.md