Skill

access-control

This skill should be used when the user asks to "check for access control issues", "analyze authorization", "find IDOR vulnerabilities", "audit CORS configuration", "check for privilege escalation", or mentions "access control", "authorization", "IDOR", "CORS", "JWT tampering", or "directory traversal" in a security context. Maps to OWASP Top 10 2021 A01: Broken Access Control.

Install

npx claudepluginhub florianbuetow/claude-code --plugin appsec

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Analyze source code for broken access control vulnerabilities including missing

Supporting Assets

references/detection-patterns.md

SKILL.md

Similar Skills

memory-forensics

Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.

reverse-engineering

33.0k

binary-analysis-patterns

Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.

reverse-engineering

33.0k

anti-reversing-techniques

1 file

Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.

reverse-engineering

33.0k

Stats

Parent Repo Stars8

Parent Repo Forks0

Last CommitFeb 14, 2026

Actions

View Source View Plugin View on GitHub View README

Broken Access Control (A01:2021)

Analyze source code for broken access control vulnerabilities including missing authorization checks, insecure direct object references, CORS misconfiguration, JWT manipulation, directory traversal, and privilege escalation.

Supported Flags

Read ../../shared/schemas/flags.md for the full flag specification. This skill supports all cross-cutting flags. Key flags for this skill:

--scope determines which files to analyze (default: changed)
--depth standard reads code and checks middleware chains
--depth deep traces authorization across call graphs and middleware stacks
--severity filters output (access control issues are often high or critical)

Framework Context

Read ../../shared/frameworks/owasp-top10-2021.md, section A01:2021 - Broken Access Control, for the full category description, common vulnerabilities, and prevention guidance.

Key CWEs in scope:

CWE-200: Exposure of Sensitive Information
CWE-284: Improper Access Control
CWE-285: Improper Authorization
CWE-352: Cross-Site Request Forgery
CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization

Detection Patterns

Read references/detection-patterns.md for the full catalog of code patterns, search heuristics, language-specific examples, and false positive guidance.

Workflow

1. Determine Scope

Parse flags and resolve the file list per ../../shared/schemas/flags.md. Filter to files likely to contain access control logic:

Route/controller definitions (**/routes/**, **/controllers/**, **/handlers/**)
Middleware files (**/middleware/**, **/middlewares/**)
Authorization modules (**/auth/**, **/authz/**, **/policies/**, **/guards/**)
API endpoint definitions (**/api/**, **/endpoints/**)
Configuration files for CORS, JWT, and session management

2. Check for Available Scanners

Detect scanners per ../../shared/schemas/scanners.md:

semgrep — primary scanner for access control patterns
bandit — Python-specific authorization issues
brakeman — Rails mass assignment and authorization bypasses

Record which scanners are available and which are missing.

3. Run Scanners (If Available)

If semgrep is available, run with rules targeting access control:

semgrep scan --config auto --json --quiet <target>

Filter results to rules matching access control, authorization, CORS, JWT, and IDOR patterns. Normalize output to the findings schema.

4. Claude Code Analysis

Regardless of scanner availability, perform manual code analysis:

Route inventory: Grep for route definitions and check each has authorization middleware.
Object access: Find database lookups using user-supplied IDs and verify ownership checks.
CORS config: Locate CORS configuration and check for wildcard or overly permissive origins.
JWT handling: Find JWT verification code and check that claims are validated.
Path handling: Find file path operations using user input and check for traversal prevention.
Role checks: Identify role-based decisions and verify they cover both horizontal and vertical access.

When --depth deep, additionally trace:

Full middleware chains from route to handler
Authorization decorator/annotation inheritance
Cross-service authorization delegation

5. Report Findings

Format output per ../../shared/schemas/findings.md using the AC prefix (e.g., AC-001, AC-002).

Include for each finding:

Severity and confidence
Exact file location with code snippet
Impact description specific to the access control failure
Concrete fix with diff when possible
CWE and OWASP references

What to Look For

These are the high-signal patterns specific to broken access control. Each maps to a detection pattern in references/detection-patterns.md.

Routes without authorization middleware — Endpoints that handle sensitive data or mutations but have no auth middleware in their chain.
Direct object references without ownership — Database lookups using req.params.id or similar without filtering by the authenticated user.
CORS wildcard or reflection — Access-Control-Allow-Origin: * or reflecting the Origin header without validation, especially with credentials.
JWT claims used without verification — Reading JWT payload without verifying signature, or trusting client-supplied role/permission claims.
Path traversal via user input — File operations using user-supplied paths without canonicalization or allowlist validation.
Missing function-level access control — Admin endpoints accessible to regular users, or API actions without role verification.
Forced browsing to predictable URLs — Sequential IDs or predictable resource paths without authorization checks.
Horizontal privilege escalation — Users can access other users' data by changing an identifier, with no server-side ownership verification.

Scanner Integration

Scanner	Coverage	Command
semgrep	IDOR, missing auth middleware, CORS, JWT issues	`semgrep scan --config auto --json --quiet <target>`
bandit	Python authorization patterns	`bandit -r <target> -f json -q`
brakeman	Rails mass assignment, authorization	`brakeman -q -f json -o /dev/stdout`

Fallback (no scanner): Use Grep with patterns from references/detection-patterns.md to find route definitions, database queries with user-controlled IDs, CORS headers, and JWT decode calls. Report findings with confidence: medium.

Relevant semgrep rule categories:

python.django.security.audit.unvalidated-*
javascript.express.security.audit.missing-auth-*
java.spring.security.audit.missing-authorization
generic.cors.security.wildcard-origin

Output Format

Use the findings schema from ../../shared/schemas/findings.md.

ID prefix: AC (e.g., AC-001)
metadata.tool: access-control
metadata.framework: owasp
metadata.category: A01
references.owasp: A01:2021
references.stride: E (Elevation of Privilege) or I (Information Disclosure)

Severity guidance for this category:

critical: Unauthenticated access to admin functions, mass IDOR exposing all user data
high: Authenticated IDOR, missing authorization on mutation endpoints, CORS with credentials + wildcard
medium: CORS misconfiguration without credentials, missing rate limiting on auth endpoints
low: Verbose error messages revealing authorization logic, minor forced browsing risks