authenticating
Authentication Testing
Automated authentication security testing: signup, login, 2FA/OTP bypass, CAPTCHA, bot detection using Playwright.
Quick Start
1. Initialize Playwright
2. Test: signup → login → 2FA → CAPTCHA → bot detection
3. Document findings with evidence
Core Workflows
Account Registration: Navigate → analyze form → generate password (PasswordGenerator) → create account → store credentials (CredentialManager)
Login Security: Test bypasses → credential validation → session tokens → fixation/hijacking
2FA/OTP Bypass: Enable 2FA → test vectors (response manipulation, direct access, parameter removal, code reuse, brute force) → extract OTP from email
CAPTCHA Assessment: Identify type → test server-side validation, token expiration, reusability → bypass vectors
Bot Detection: Stealth mode → human-like behavior (natural mouse, variable typing, random pauses) → test detection
Credential Tools
PasswordGenerator (tools/password_generator.py):
from tools.password_generator import generate_password
password = generate_password(hint_text="8-16 chars, uppercase, lowercase, numbers")
CredentialManager (tools/credential_manager.py):
from tools.credential_manager import CredentialManager
mgr = CredentialManager()
cred_id = mgr.store_credential(target="example.com", username="test", password="pass")
cred = mgr.get_credential("example.com")
See reference/PASSWORD_CREDENTIAL_MANAGEMENT.md.
Playwright Automation
REQUIRED: All browser automation via Playwright MCP.
Human-like: Natural mouse, realistic typing (80-200ms delays), random pauses (500-2000ms), smooth scrolling Evidence: Screenshots before/after, network logs, console output Stealth: Hide webdriver, add chrome object, randomize fingerprints
Testing Techniques
CAPTCHA Bypass (11 techniques - reference/CAPTCHA_BYPASS.md):
Missing server validation, empty field, reusable tokens, HTTP header manipulation, content-type conversion, request method, parameter manipulation, OCR, response interception, token expiration, session persistence
2FA Bypass (10 methods - reference/2FA_BYPASS.md):
Response manipulation, direct endpoint access, OTP parameter removal, code reusability, brute force, predictable codes, session persistence pre-2FA, backup code abuse, race condition, OTP leakage
Bot Detection Evasion (reference/BOT_DETECTION.md):
Behavioral biometrics, fingerprint randomization, User-Agent rotation, WebDriver hiding, natural timing, request patterns
Output Structure
outputs/authenticating/<target>/
├── signup/account_created.json + evidence/
├── login/session_tokens.json + evidence/
├── 2fa/bypass_attempts.json + otp_codes.txt + evidence/
├── captcha/bypass_methods.json + evidence/
├── bot_detection/detection_tests.json + behavioral_patterns.md
└── findings/vulnerabilities.json + authentication_report.md + poc_scripts/
Common Vulnerabilities
Critical: Missing 2FA server validation, reusable OTP, direct access without 2FA, client-side CAPTCHA High: Weak OTP generation, no rate limiting, CAPTCHA token reuse, session persistence pre-2FA Medium: Weak bot detection, account enumeration, timing attacks, info disclosure
Testing Checklist
Pre: Scope, test accounts, Playwright configured, email access During: Signup, login, 2FA, CAPTCHA, bot detection, evidence Post: Findings documented, PoC scripts, CVSS scores, remediation, cleanup
Critical Rules
Always: Test accounts only, document scope, responsible disclosure, clean up Never: Exceed scope, cause disruption, expose findings before remediation
Tools
Playwright MCP, PasswordGenerator, CredentialManager, Email APIs (IMAP, Gmail), OCR (Tesseract)
Commands
/authenticating # Full test
/authenticating --test=2fa # Specific area
/authenticating --report # Generate report
Reference
- CAPTCHA_BYPASS.md - 11 CAPTCHA techniques
- 2FA_BYPASS.md - 10 2FA/OTP methods
- BOT_DETECTION.md - Bot evasion
- PASSWORD_CREDENTIAL_MANAGEMENT.md - Tool usage
More from transilienceai/communitytools
hackerone
HackerOne bug bounty automation - parses scope CSVs, deploys parallel pentesting agents for each asset, validates PoCs, and generates platform-ready submission reports. Use when testing HackerOne programs or preparing professional vulnerability submissions.
50reconnaissance
Domain assessment and web application mapping - subdomain discovery, port scanning, endpoint enumeration, API discovery, and attack surface analysis.
40ai-threat-testing
Offensive AI security testing and exploitation framework. Systematically tests LLM applications for OWASP Top 10 vulnerabilities including prompt injection, model extraction, data poisoning, and supply chain attacks. Integrates with pentest workflows to discover and exploit AI-specific threats.
38osint
Open-source intelligence gathering - company repository enumeration, secret scanning, git history analysis, employee footprint, and code exposure discovery.
37social-engineering
Social engineering testing - phishing, pretexting, vishing, and physical security assessment techniques.
37source-code-scanning
Security-focused source code review and SAST. Scans for vulnerabilities (OWASP Top 10, CWE Top 25), CVEs in third-party dependencies/packages, hardcoded secrets, malicious code, and insecure patterns. Use when given source code, a repo path, or asked to "audit", "scan", "review" code security, or "check dependencies for CVEs".
35