Skill

auth-bypass

Detects authentication and authorization bypass vulnerabilities including missing auth middleware, JWT algorithm confusion, IDOR, and session fixation in web apps.

Javascript

Python

Ruby

security

authentication

npx claudepluginhub byamb4/find-cve-agent

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Audit web frameworks, API gateways, admin panels, CMS systems, and any application with role-based access control.

Supporting Assets

references/false-positive-indicators.mdreferences/poc-skeleton.mdreferences/sinks.md

SKILL.md

Similar Skills

vuln-patterns-auth-bypass

Audits Python code for authentication bypass vulnerabilities in permission checks, DRF views, JWT/token validation, decorators, middleware, and SSO/OAuth flows. Covers CWE-285/287/863.

1 file

vuln-skills

auth-analyzer

Analyzes auth mechanisms (passwords/sessions/JWT/OAuth/MFA) and authz patterns (RBAC/ABAC/ACL) for vulnerabilities like bypasses, hijacking, broken access control; reports with OWASP/NIST remediation.

devkit

broken-access-control

Flags broken access control vulnerabilities including missing ownership checks, IDOR, role enforcement gaps, and insecure middleware. Suggests fixes with gates, middleware, and 404 responses.

soundcheck

Stats

Stars18

Forks2

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Authentication/Authorization Bypass Detection

When to Use

Audit web frameworks, API gateways, admin panels, CMS systems, and any application with role-based access control.

Process

Step 1: Map ALL Routes

# Express.js
grep -rn "app\.get\|app\.post\|app\.put\|app\.delete\|app\.patch\|router\." .

# Django
grep -rn "path(\|url(\|urlpatterns" .

# Flask
grep -rn "@app\.route\|@blueprint\.route" .

# Go
grep -rn "HandleFunc\|Handle\|mux\.\|router\." .

# Rails
grep -rn "get \|post \|put \|delete \|patch " config/routes.rb

Step 2: Map Auth Middleware

# Express
grep -rn "isAuthenticated\|requireAuth\|authMiddleware\|passport\|jwt\.verify" .
grep -rn "app\.use(.*auth\|router\.use(.*auth" .

# Django
grep -rn "login_required\|permission_required\|@permission_classes\|IsAuthenticated" .

# Flask
grep -rn "login_required\|@jwt_required\|current_user" .

# Go
grep -rn "AuthMiddleware\|RequireAuth\|WithAuth" .

# Rails
grep -rn "before_action.*authenticate\|before_action.*authorize" .

Step 3: Cross-Reference Routes vs Auth

For EACH route, verify:

Is auth middleware applied?
Is it the RIGHT auth level? (user vs admin)
Is it applied to ALL HTTP methods? (GET might be protected but PUT is not)
Are there any conditional bypasses?

Step 4: Check for Common Bypass Patterns

# JWT issues
grep -rn "algorithms\|algorithm\|alg\|verify.*false\|verify.*False" .
grep -rn "jwt\.decode\|jwt\.verify\|jose\|jsonwebtoken" .

# Session fixation
grep -rn "session\.regenerate\|session\.destroy" .

# IDOR (missing ownership check)
grep -rn "findById\|findOne\|params\.id\|req\.params" .

Common Vulnerability Patterns

Missing Auth on Specific Routes

// Protected
app.get('/api/users', authMiddleware, getUsers);
// MISSING AUTH
app.get('/api/users/:id/export', exportUser);  // No middleware!

JWT Algorithm Confusion

// VULNERABLE: accepts algorithm from token header
jwt.verify(token, publicKey);  // If alg=HS256, public key used as HMAC secret

// SAFE: specifies allowed algorithms
jwt.verify(token, publicKey, { algorithms: ['RS256'] });

IDOR (Missing Ownership Check)

app.get('/api/documents/:id', auth, (req, res) => {
  // VULNERABLE: finds document by ID without checking owner
  const doc = await Document.findById(req.params.id);
  res.json(doc);
  
  // SAFE: checks ownership
  const doc = await Document.findOne({ _id: req.params.id, owner: req.user.id });
});

CVSS Guidance

Complete auth bypass (unauthenticated access to admin): CRITICAL 9.8
JWT algorithm confusion to forge tokens: CRITICAL 9.1
IDOR to access other users data: HIGH 7.5-8.1
Missing auth on non-sensitive endpoint: LOW 3.1
Session fixation: MEDIUM 5.4

References

Sinks -- Auth patterns by framework
False Positive Indicators
PoC Skeleton