From security-research
Detect all authentication, authorization, and access control vulnerabilities — IDOR/BOLA, BFLA, privilege escalation, mass assignment, JWT issues, session management, OAuth/SAML, multi-tenant isolation, GraphQL introspection, and role hierarchy flaws. Consolidated detection skill for all auth/access patterns.
npx claudepluginhub pucagit/claude-plugin --plugin security-researchThis skill uses the workspace's default tool permissions.
Find every place where a user can access or modify resources they don't own, escalate privileges, bypass authentication/session controls, or exploit access control design flaws.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Find every place where a user can access or modify resources they don't own, escalate privileges, bypass authentication/session controls, or exploit access control design flaws.
Before hunting, read references/cool_techniques.md for applicable auth detection techniques learned from previous audits. Apply any relevant techniques during your analysis.
| Category | Sub-Types |
|---|---|
| Missing Auth | Endpoints accessible without login, missing auth decorators |
| IDOR / BOLA | Resource fetched/modified by ID without ownership check |
| BFLA | Admin/privileged functions accessible by lower-privilege users |
| Privilege Escalation | Horizontal (User A → B), vertical (user → admin) |
| Mass Assignment | Role/admin flags injectable via request body, fields='__all__' |
| JWT Issues | Algorithm confusion (none/HS256↔RS256), weak secrets, missing validation |
| Session Management | Fixation, no rotation after login, predictable session IDs |
| Token Generation | Predictable reset tokens, weak RNG for secrets |
| OAuth/SAML | Missing state param, token exchange bypass, SAML signature wrapping |
| MFA Bypass | Step-skipping, response manipulation |
| Multi-Tenant | Missing org_id/tenant_id scoping in queries |
| GraphQL | Introspection enabled in production, field suggestion enumeration |
| Role Hierarchy | Self-promotion, missing "requester outranks target" checks |
| Client Trust | is_admin=true, role=admin accepted from request body |
# Frappe
grep -rn "allow_guest=True" --include="*.py" ${TARGET_SOURCE}
# Django
grep -rn "@api_view\|class.*APIView\|class.*ViewSet" --include="*.py" ${TARGET_SOURCE}
# Express
grep -rn "app\.get\|app\.post\|router\.get\|router\.post" --include="*.js" --include="*.ts" ${TARGET_SOURCE}
# Spring Boot
grep -rn "@PermitAll\|@GetMapping\|@PostMapping\|@PutMapping\|@DeleteMapping" --include="*.java" ${TARGET_SOURCE}
grep -rn "request\.GET\.get\|request\.args\.get\|req\.params\.\|req\.query\.\|params\[:id\]\|@PathVariable\|c\.Param(" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.rb" --include="*.go" \
${TARGET_SOURCE} | grep -i "id\|user_id\|account\|profile\|document\|order\|ticket"
# Object fetch patterns (check for ownership constraint)
grep -rn "get_object_or_404\|Model\.objects\.get(\|findById(\|findOne({.*:.*req\.\|getById(\|findByPk(" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.rb" --include="*.go" ${TARGET_SOURCE}
grep -rn "fields = '__all__'\|permit_all_parameters\|mass_assignment\|\.save(request\.data\|update_attributes(\|bulk_update" \
--include="*.py" --include="*.rb" --include="*.js" --include="*.ts" ${TARGET_SOURCE}
grep -rn "is_admin\|is_staff\|is_superuser\|role\s*=\s*request\.\|admin\s*=\s*request\.\|privilege\s*=\s*request\.\|permission.*=.*request\." \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.rb" --include="*.go" --include="*.php" ${TARGET_SOURCE}
grep -rn "jwt\.decode\|jwt\.verify\|verify=False\|algorithms=\[.*none\|algorithm.*none\|HS256\|RS256\|JWT_SECRET\|decode.*options" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" ${TARGET_SOURCE}
grep -rn "session\[.*\]\|session\.get(\|session_id\|session\.regenerate\|session\.invalidate\|session\.clear()" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.php" \
--include="*.rb" --include="*.java" ${TARGET_SOURCE}
grep -rn "reset_token\|password_reset\|forgot_password\|activation_token\|random\.\|token.*generate\|generate.*token" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.php" --include="*.rb" ${TARGET_SOURCE}
grep -rn "introspection\|__schema\|__type\|disable.*introspection\|introspection.*false\|IntrospectionQuery\|NoSchemaIntrospectionCustomRule" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" --include="*.go" ${TARGET_SOURCE}
grep -rn "/internal/\|/admin/\|/debug/\|/management/\|/_/\|/actuator/\|/health\|/metrics" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.rb" --include="*.go" --include="*.php" ${TARGET_SOURCE}
grep -rn "role.*update\|update.*role\|assign.*role\|grant.*permission\|revoke.*permission\|promote\|set.*privilege" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" --include="*.go" ${TARGET_SOURCE}
recon/architecture.md — find all endpoints with path/query params containing id, user_id, account_id, org_idfile:lineModel.objects.get(id=id, user=request.user) or WHERE id = ? AND tenant_id = ?Model.objects.get(id=id) — no ownership scope@admin_required = SAFE, @login_required only = VULNERABLEalgorithms is hardcoded or accepts any valuefields='__all__' + role/admin/is_staff in model = CRITICAL| Pattern | Verdict |
|---|---|
get(id=id) without user scope on user-level endpoint | HIGH IDOR/BOLA |
get(id=id, user=request.user) | FALSE POSITIVE |
get(id=id, org_id=request.user.org_id) | FALSE POSITIVE (if org_id server-set) |
Admin endpoint with @login_required only | HIGH BFLA |
Admin endpoint with @permission_required('admin') | FALSE POSITIVE |
jwt.decode(token, options={'algorithms': ['none']}) | CRITICAL |
jwt.decode(token, key, algorithms=['HS256']) hardcoded key | MEDIUM |
fields='__all__' with role/admin in model | HIGH mass assignment |
read_only_fields = ['is_staff'] | FALSE POSITIVE |
random.randint() for reset token | HIGH — predictable |
secrets.token_urlsafe() for reset token | FALSE POSITIVE |
| Session not regenerated after login | MEDIUM session fixation |
| GraphQL introspection not disabled in production | MEDIUM |
role = request.data.get('role') without admin check | HIGH privesc |
is_admin = serializer.validated_data.get('is_admin') without admin check | CRITICAL |
| Role assignment without privilege level check | HIGH |
Use LSP diagnostics to confirm auth/access control issues:
mcp__ide__getDiagnostics on auth middleware and decorators — verify they're correctly applied and not bypassed by type errors@login_required, isAuthenticated, authorize()), find ALL call sites to discover endpoints that lack authThe grep patterns above catch known vulnerability shapes. After completing the pattern scan, perform semantic analysis on the code you've read:
For each handler/endpoint: Read the full function. Ask: "What security assumption does this code make? Can that assumption be violated?"
For custom abstractions: If the codebase has custom auth decorators, permission middleware, or access control wrappers — read their implementations. Are they correct? Do they handle edge cases (null, empty, unicode, concurrent calls)?
Cross-module flows: If a variable passes through 3+ functions before reaching a sink, follow it through every hop. One missed encoding step in the middle = vulnerability.
Auth-specific deep analysis: