pentest-authentication-authorization-review
Authentication & Authorization Review
Activation Triggers (Positive)
authsessiontokenmfaidorbolabflaprivilege escalationtenant isolation
Exclusion Triggers (Negative)
recon onlyinjection fuzzing onlywrite report only
Output Schema
- Access-control matrix:
actor,resource,action,expected,observed - Session/token lifecycle findings:
issued,replayed,revoked,result - Confirmed boundary breaks with attacker capability statement
Instructions
- Define identity roles and expected permissions before testing.
- Validate both horizontal and vertical boundaries with paired-role comparisons.
- Test session and token invalidation across interfaces and time windows.
- Confirm authorization at object, function, and workflow levels.
- Distinguish authentication weakness from authorization weakness in output.
- Escalate only confirmed boundary failures into exploit chaining.
Should Do
- Use explicit role-to-action test cases.
- Capture full evidence for accepted and denied control paths.
- Verify revocation behavior, not just issuance behavior.
Should Not Do
- Do not infer access-control findings from UI behavior alone.
- Do not conflate missing data with denied access.
- Do not mark privilege escalation without deterministic proof of crossed boundary.
More from crtvrffnrt/skills
pentest-xss
Security assessment skill for Cross-Site Scripting (XSS) vulnerabilities. Use when investigating input sanitization, reflected, stored, DOM, or blind XSS. Focuses on discovery, exploitation, and payload optimization. Do not use for generic network recon or non-web injection types.
36pentest-exploit-execution-payload-control
Security assessment skill for deterministic exploit execution from validated primitives. Use when prompts include exploit implementation, payload hardening, chaining confirmed weaknesses, post-exploitation proof, or controlled impact demonstration. Do not use for early-stage reconnaissance, speculative hypothesis generation, or report-only requests.
30pentest-recon-surface-analysis
Security assessment skill for reconnaissance, endpoint/service enumeration, and attack-surface mapping. Use when prompts include recon, enumerate, map endpoints, discover assets, inventory interfaces, fingerprint technologies, or identify control-plane surfaces. Do not use when the request is exploit development, payload execution, or final report writing only.
29pentest-business-logic-abuse
Security assessment skill for business workflow abuse, state-machine manipulation, and control-plane logic flaws. Use when prompts include workflow bypass, race condition, replay, quota abuse, order-of-operations flaws, delegated execution abuse, or unauthorized state transitions. Do not use for pure input injection fuzzing, broad recon, or standalone report formatting tasks.
27pentest-gemini-az
Use when users need an Azure, Microsoft 365, or Entra ID companion that reads, lists, changes, and manages resources using the current Azure CLI session, with `az rest` as the default execution path.
26pentest-evidence-structuring-report-synthesis
Security assessment skill for structuring evidence, deduplicating findings, and producing decision-ready security reports. Use when prompts include write report, consolidate findings, severity ranking, remediation guidance, executive summary, or technical appendix generation. Do not use for live exploit execution, reconnaissance, or payload experimentation tasks.
25