Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From appsec
Analyzes source code for broken access control vulnerabilities including missing authorization checks, IDOR, CORS misconfiguration, JWT manipulation, directory traversal, and privilege escalation.
npx claudepluginhub florianbuetow/claude-code --plugin appsecHow this skill is triggered — by the user, by Claude, or both
Slash command
/appsec:access-controlThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze source code for broken access control vulnerabilities including missing
Detects missing ownership checks, broken role enforcement, and IDOR vulnerabilities in authorization code. Use when implementing access control middleware or resource ownership checks.
Audits IAM policies, RBAC, ACLs, file permissions, and API authorization for vulnerabilities, privilege escalation paths, and least privilege violations.
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.
Share bugs, ideas, or general feedback.
Analyze source code for broken access control vulnerabilities including missing authorization checks, insecure direct object references, CORS misconfiguration, JWT manipulation, directory traversal, and privilege escalation.
Read ../../shared/schemas/flags.md for the full flag specification. This skill
supports all cross-cutting flags. Key flags for this skill:
--scope determines which files to analyze (default: changed)--depth standard reads code and checks middleware chains--depth deep traces authorization across call graphs and middleware stacks--severity filters output (access control issues are often high or critical)Read ../../shared/frameworks/owasp-top10-2021.md, section A01:2021 - Broken
Access Control, for the full category description, common vulnerabilities, and
prevention guidance.
Key CWEs in scope:
Read references/detection-patterns.md for the full catalog of code patterns,
search heuristics, language-specific examples, and false positive guidance.
Parse flags and resolve the file list per ../../shared/schemas/flags.md.
Filter to files likely to contain access control logic:
**/routes/**, **/controllers/**, **/handlers/**)**/middleware/**, **/middlewares/**)**/auth/**, **/authz/**, **/policies/**, **/guards/**)**/api/**, **/endpoints/**)Detect scanners per ../../shared/schemas/scanners.md:
semgrep — primary scanner for access control patternsbandit — Python-specific authorization issuesbrakeman — Rails mass assignment and authorization bypassesRecord which scanners are available and which are missing.
If semgrep is available, run with rules targeting access control:
semgrep scan --config auto --json --quiet <target>
Filter results to rules matching access control, authorization, CORS, JWT, and IDOR patterns. Normalize output to the findings schema.
Regardless of scanner availability, perform manual code analysis:
When --depth deep, additionally trace:
Format output per ../../shared/schemas/findings.md using the AC prefix
(e.g., AC-001, AC-002).
Include for each finding:
These are the high-signal patterns specific to broken access control. Each
maps to a detection pattern in references/detection-patterns.md.
Routes without authorization middleware — Endpoints that handle sensitive data or mutations but have no auth middleware in their chain.
Direct object references without ownership — Database lookups using
req.params.id or similar without filtering by the authenticated user.
CORS wildcard or reflection — Access-Control-Allow-Origin: * or
reflecting the Origin header without validation, especially with credentials.
JWT claims used without verification — Reading JWT payload without verifying signature, or trusting client-supplied role/permission claims.
Path traversal via user input — File operations using user-supplied paths without canonicalization or allowlist validation.
Missing function-level access control — Admin endpoints accessible to regular users, or API actions without role verification.
Forced browsing to predictable URLs — Sequential IDs or predictable resource paths without authorization checks.
Horizontal privilege escalation — Users can access other users' data by changing an identifier, with no server-side ownership verification.
| Scanner | Coverage | Command |
|---|---|---|
| semgrep | IDOR, missing auth middleware, CORS, JWT issues | semgrep scan --config auto --json --quiet <target> |
| bandit | Python authorization patterns | bandit -r <target> -f json -q |
| brakeman | Rails mass assignment, authorization | brakeman -q -f json -o /dev/stdout |
Fallback (no scanner): Use Grep with patterns from references/detection-patterns.md
to find route definitions, database queries with user-controlled IDs, CORS headers,
and JWT decode calls. Report findings with confidence: medium.
Relevant semgrep rule categories:
python.django.security.audit.unvalidated-*javascript.express.security.audit.missing-auth-*java.spring.security.audit.missing-authorizationgeneric.cors.security.wildcard-originUse the findings schema from ../../shared/schemas/findings.md.
AC (e.g., AC-001)access-controlowaspA01A01:2021E (Elevation of Privilege) or I (Information Disclosure)Severity guidance for this category: