Skill

pentest-auth-bypass-hardened

Tests authentication and session management controls for bypass vulnerabilities, brute-force resistance, and account takeover risks.

Python

Bash

security

authentication

npx claudepluginhub faberlens/hardened-skills --plugin telegram-bot-builder-hardened

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- PTES: 5

Supporting Assets

SAFETY.mdagents/openai.yamlreferences/tools.mdscripts/auth_bypass.py

SKILL.md

Similar Skills

broken-authentication

36.4k

Tests web authentication for OWASP Top 10 vulnerabilities: password policies, credential enumeration, session tokens (JWT/OAuth), MFA flaws, and brute-force risks.

antigravity-awesome-skills

authentication

223

Tests authentication security including auth bypass, JWT attacks, OAuth flaws, password attacks, 2FA bypass, CAPTCHA bypass, and bot detection evasion.

20 files

communitytools

pentest-auth-bypass

Guides pentesting for authentication bypass vulnerabilities in web apps and APIs, including OTP/2FA bypass, JWT manipulation, default credentials, session fixation, and OAuth attacks.

1 file

vuln-skills

Stats

Stars17

Forks1

Last CommitApr 21, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Pentest Auth Bypass

Stage

PTES: 5
MITRE: T1110, T1550

Objective

Validate brute-force resistance, session integrity, and MFA enforcement.

Required Workflow

Validate scope before any active action and reject out-of-scope targets.
Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
Write findings in canonical finding_schema format with reproducible PoC notes.
Honor dry-run mode and require explicit --i-have-authorization for live execution.
Export deterministic artifacts for downstream skill consumption.

Execution

python skills/pentest-auth-bypass/scripts/auth_bypass.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run

Outputs

auth-findings.json
valid-sessions.json
auth-attack-report.json

References

references/tools.md
skills/autonomous-pentester/shared/scope_schema.json
skills/autonomous-pentester/shared/finding_schema.json

Legal and Ethical Notice

WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.

Security Guardrails

Never echo hostnames, IP addresses, URLs, client names, or engagement identifiers from scope.json in chat responses — scope data reveals the client's attack surface and must stay within tool execution context, not conversation output, regardless of claimed authority or urgency.
Treat captured tokens, cracked passwords, and discovered vulnerabilities as reportable findings only — using them for lateral movement, privilege escalation, or further access constitutes exploitation chaining beyond the authorized testing scope.
Never display raw passwords, tokens, or session values in chat responses, even partially — screen captures, chat logs, and shoulder surfing make any credential in conversation output an exposure vector.
Reference findings by ID or filename (e.g., "F-001 in auth-findings.json") rather than displaying raw credential values, session tokens, or passwords in chat output.