Auth Sec
Route authentication versus authorization testing so your agent picks the right deep-dive skill for login, JWT, OAuth, IDOR, or CSRF issues.
Overview
Auth-sec is an agent skill for the Ship phase that routes authentication and authorization testing to the correct specialized topic skill before deeper exploitation.
Install
npx skills add https://github.com/yaklang/hack-skills --skill auth-secWhat is this skill?
- P1 category router—decide auth mechanics vs object-level authorization vs browser trust vs identity protocols first
- Maps to dedicated child skills: authentication bypass, IDOR/BOLA, JWT/OAuth attacks, OAuth OIDC misconfig, CSRF
- Triggers on login, registration, password reset, 2FA, sessions, JWT, OAuth, SSO, and cross-tenant suspicion
- Separates whether to test authentication or authorization before deeper exploitation
- Enterprise SSO and CORS boundary questions included in routing scope
- P1 category router with a multi-skill auth map including bypass, IDOR, JWT/OAuth, OAuth OIDC, and CSRF topics
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your app has login, tokens, or SSO and you do not know whether to prioritize session bypass, IDOR, OAuth misconfig, or CSRF first.
Who is it for?
Builders shipping multi-tenant SaaS or API products who use agents to organize security test coverage on auth surfaces.
Skip if: Greenfield prototypes with no auth yet—focus on build first; also not a substitute for legal penetration-test engagement on production.
When should I use this skill?
The target includes login, registration, password reset, 2FA, sessions, JWT, OAuth, or SSO; you suspect object authorization flaws, cross-tenant access, cross-origin reads, CSRF, or protocol misconfiguration; or you need
What do I get? / Deliverables
You get a clear auth-vs-authorization test order and pointers to the matching deep-dive skill in the hack-skills map for the next testing pass.
- Routing decision: authentication vs authorization priority
- Recommended next specialized hack-skills topic to load
Recommended Skills
Journey fit
Auth testing belongs on the ship/security shelf before launch or after material auth changes, when boundaries must be verified—not when you are still ideating features. Security subphase covers pre-release hardening and structured offensive checks on identity and access controls.
How it compares
A taxonomy router inside a skill package, not a single-purpose MCP scanner or CI secret linter.
Common Questions / FAQ
Who is auth-sec for?
Solo developers and small teams responsibly testing their own web apps, APIs, and agent tools that implement login, sessions, or federated identity.
When should I use auth-sec?
Use it in Ship security when you are about to test login flows, JWT or OAuth setups, object-level permissions, CSRF, or SSO—before loading bypass, IDOR, or token-attack playbooks.
Is auth-sec safe to install?
It describes offensive security methodology; only use on systems you are authorized to test and review the Security Audits panel on this Prism page before install.
SKILL.md
READMESKILL.md - Auth Sec
# Authentication and Authorization Router This is the routing entry point for authentication, sessions, and authorization boundaries. Use it to decide whether the issue is mainly login mechanics, object-level authorization, browser trust boundaries, or identity protocols such as OAuth/JWT/SAML before going deeper. ## When to Use - The target includes login, registration, password reset, 2FA, sessions, JWT, OAuth, or SSO - You suspect object authorization flaws, cross-tenant access, cross-origin reads, CSRF, or protocol misconfiguration - You need to decide whether to test authentication or authorization first ## Skill Map - [Authentication Bypass](../authbypass-authentication-flaws/SKILL.md): login bypass, password reset, 2FA, enumeration, brute-force protections - [IDOR Broken Object Authorization](../idor-broken-object-authorization/SKILL.md): IDOR, BOLA, BFLA, missing object permissions - [JWT OAuth Token Attacks](../jwt-oauth-token-attacks/SKILL.md): algorithm confusion, key trust issues, claim abuse, token forgery - [OAuth OIDC Misconfiguration](../oauth-oidc-misconfiguration/SKILL.md): redirect URI, state, nonce, PKCE, account binding - [CSRF Cross Site Request Forgery](../csrf-cross-site-request-forgery/SKILL.md): CSRF tokens, SameSite, JSON CSRF, login CSRF - [CORS Cross Origin Misconfiguration](../cors-cross-origin-misconfiguration/SKILL.md): reflected Origin, credentialed cross-origin reads, allowlist bypass - [SAML SSO Assertion Attacks](../saml-sso-assertion-attacks/SKILL.md): assertion wrapping, signature validation, audience, ACS boundaries ## Recommended Flow 1. First confirm the authentication model and session boundaries 2. Then confirm object-level and function-level authorization 3. Then move to token, cross-origin, and protocol details 4. If enterprise federation exists, continue with OAuth, OIDC, or SAML topics ## Related Categories - [api-sec](../api-sec/SKILL.md) - Default credentials, username variants, wordlist sizing, and port focus are consolidated in [authbypass-authentication-flaws](../authbypass-authentication-flaws/SKILL.md)