From vuln-skills
Audits Python code for authentication bypass vulnerabilities in permission checks, DRF views, JWT/token validation, decorators, middleware, and SSO/OAuth flows. Covers CWE-285/287/863.
npx claudepluginhub yhy0/ghsa-skill-builder --plugin vuln-skillsThis skill uses the workspace's default tool permissions.
当审计 Python 代码中涉及认证流程、权限检查、访问控制逻辑时加载此 Skill。
Detects authentication and authorization bypass vulnerabilities including missing auth middleware, JWT algorithm confusion, IDOR, and session fixation in web apps.
Flags broken access control vulnerabilities including missing ownership checks, IDOR, role enforcement gaps, and insecure middleware. Suggests fixes with gates, middleware, and 404 responses.
Reviews Django access control and IDOR vulnerabilities in views, DRF viewsets, ORM queries, and authorization code by investigating codebase-specific models.
Share bugs, ideas, or general feedback.
当审计 Python 代码中涉及认证流程、权限检查、访问控制逻辑时加载此 Skill。
通用检测模型,适用于此类漏洞的所有变体。
Sources(攻击入口):
Sinks(受保护资源/操作):
Sanitization(认证/授权屏障):
@login_required, @permission_required)permission_classes(IsAuthenticated, IsAdminUser)检测路径:
搜索认证/授权模式的 Grep 模式:
# DRF 视图缺少 permission_classes
grep -rn "class.*APIView\|class.*ViewSet" --include="*.py"
grep -rn "permission_classes" --include="*.py"
# 异常处理中的 fallback
grep -rn "except.*return" --include="*.py"
# 认证装饰器
grep -rn "login_required\|permission_required" --include="*.py"
# SSO/OAuth 相关
grep -rn "SAML\|OAuth\|OpenID\|IdP" --include="*.py"
# 事件总线
grep -rn "event.*handler\|on_event\|publish(" --include="*.py"
except 块中是否返回可预测的 fallback 值(如 -1, None, ""),且该值可被攻击者用于绕过后续校验?if A and B or C 类型的复合条件是否因缺少括号导致逻辑与预期不符?(and 优先级高于 or)APIView/ViewSet 是否显式声明了 permission_classes?未声明时 DRF 默认使用 DEFAULT_PERMISSION_CLASSES,可能为 AllowAny。is_authenticated 不等于「是本人」。/user 匹配 /user/admin)?低权限角色的路由列表是否包含高权限端点?allow_all + identity_provider),升级框架版本后优先级是否发生变化?以下模式不是此类漏洞:
if secret != -1 and secret == input),则不是漏洞DEBUG=True 时跳过认证,需确认生产环境不受影响以下模式需要深入检查:
except Exception: return default_value -- 宽泛异常捕获 + 返回默认值是高危模式,必须追踪 default_value 的使用方式if user.is_authenticated -- 仅检查认证状态而不验证身份(是否是正确的用户),在 account linking 场景中可能导致冒充permission_classes = [] 或 permission_classes = [AllowAny] -- 显式移除权限检查,需确认是否为公开接口allow_all 等配置项的语义可能因框架升级而改变/user 路由权限是否意外覆盖了 /user/admin 等子路径详见 references/cases.md(7 个真实案例,需要时加载)。