Authentication & Authorization Review
Use When
- Session replay, token lifecycle, MFA behavior, account takeover, tenant isolation, or identity-boundary validation is the main question.
- The task needs paired-role testing for object, function, or workflow authorization.
- The next step is to distinguish authentication failure from authorization failure.
Handoff Criteria
- Hand off to
pentest-advanced-access-control-auditorfor a deep IDOR, BOLA, BFLA, RBAC, or ownership test matrix. - Hand off to
pentest-input-protocol-manipulationwhen parser behavior or request mutation becomes the owner blocker. - Hand off to
pentest-evidence-structuring-report-synthesiswhen live validation is complete.
Output Schema
- Access-control matrix:
actor,resource,action,expected,observed - Session/token lifecycle findings:
issued,replayed,revoked,result - Confirmed boundary breaks with attacker capability statement
Instructions
- Define identity roles and expected permissions before testing.
- Validate both horizontal and vertical boundaries with paired-role comparisons.
- Test session and token invalidation across interfaces and time windows.
- Confirm authorization at object, function, and workflow levels.
- Distinguish authentication weakness from authorization weakness in output.
- Escalate only confirmed boundary failures into exploit chaining.
Verification Gate
- Use explicit role-to-action test cases.
- Capture full evidence for accepted and denied control paths.
- Verify revocation behavior, not just issuance behavior.
- Do not infer access-control findings from UI behavior alone.
- Do not conflate missing data with denied access.
- Mark privilege escalation only with deterministic proof of a crossed boundary.
Situational Awareness
- Cross-check high-impact authz claims with an alternate role, alternate object, alternate method, or alternate interface.
- Track confirmed, rejected, and unknown role/action pairs separately.
微信扫一扫