返回 Skill 列表
extension
分类: 开发与工程无需 API Key

pentest-authentication-authorization-review

安全评估技能,用于身份验证和授权控制。当提示包括会话处理、令牌滥用、MFA弱点、账户接管、IDOR/BOLA/BFLA、权限提升、租户隔离或身份边界验证时使用。当任务仅为通用侦察、纯粹的解析器模糊测试或仅最终报告编写时,请勿使用。

person作者: jakexiaohubgithub

Authentication & Authorization Review

Use When

  • Session replay, token lifecycle, MFA behavior, account takeover, tenant isolation, or identity-boundary validation is the main question.
  • The task needs paired-role testing for object, function, or workflow authorization.
  • The next step is to distinguish authentication failure from authorization failure.

Handoff Criteria

  • Hand off to pentest-advanced-access-control-auditor for a deep IDOR, BOLA, BFLA, RBAC, or ownership test matrix.
  • Hand off to pentest-input-protocol-manipulation when parser behavior or request mutation becomes the owner blocker.
  • Hand off to pentest-evidence-structuring-report-synthesis when live validation is complete.

Output Schema

  • Access-control matrix: actor, resource, action, expected, observed
  • Session/token lifecycle findings: issued, replayed, revoked, result
  • Confirmed boundary breaks with attacker capability statement

Instructions

  1. Define identity roles and expected permissions before testing.
  2. Validate both horizontal and vertical boundaries with paired-role comparisons.
  3. Test session and token invalidation across interfaces and time windows.
  4. Confirm authorization at object, function, and workflow levels.
  5. Distinguish authentication weakness from authorization weakness in output.
  6. Escalate only confirmed boundary failures into exploit chaining.

Verification Gate

  • Use explicit role-to-action test cases.
  • Capture full evidence for accepted and denied control paths.
  • Verify revocation behavior, not just issuance behavior.
  • Do not infer access-control findings from UI behavior alone.
  • Do not conflate missing data with denied access.
  • Mark privilege escalation only with deterministic proof of a crossed boundary.

Situational Awareness

  • Cross-check high-impact authz claims with an alternate role, alternate object, alternate method, or alternate interface.
  • Track confirmed, rejected, and unknown role/action pairs separately.