authentication
Authentication
Test authentication mechanisms including login security, token handling, 2FA, CAPTCHA, and bot detection.
Techniques
| Type | Key Vectors |
|---|---|
| Auth Bypass | Default credentials, logic flaws, response manipulation |
| ADFS/SAML | Golden SAML, token signing cert theft, assertion manipulation, SAML wrapping |
| JWT | Algorithm confusion, key injection, claim tampering, token forging |
| OAuth | Redirect manipulation, CSRF, token leakage, scope abuse |
| Password | Brute force, credential stuffing, password policy bypass |
| 2FA Bypass | Response manipulation, direct endpoint access, code reuse, race conditions |
| CAPTCHA Bypass | Missing server validation, token reuse, OCR, parameter manipulation |
| Bot Detection | Behavioral biometrics simulation, fingerprint randomization, stealth mode |
Tools
PasswordGenerator (tools/password_generator.py):
from tools.password_generator import generate_password
password = generate_password(hint_text="8-16 chars, uppercase, numbers")
CredentialManager (tools/credential_manager.py):
from tools.credential_manager import CredentialManager
mgr = CredentialManager()
mgr.store_credential(target="example.com", username="test", password="pass")
Workflow
- Analyze auth implementation (forms, tokens, 2FA, CAPTCHA)
- Test bypass vectors per technique type
- Use Playwright MCP with human-like behavior (typing 80-200ms, random pauses)
- Capture evidence (screenshots, network logs, tokens)
- Document findings with PoC scripts
Reference
reference/authentication*.md- Auth bypass techniques, payloads, and resourcesreference/jwt*.md- JWT attack techniques and cheat sheetsreference/oauth*.md- OAuth vulnerability testingreference/password-attacks.md- Password attack vectorsreference/adfs-exploitation.md- ADFS, Golden SAML, federation attacksreference/2FA_BYPASS.md- 10 2FA bypass methodsreference/CAPTCHA_BYPASS.md- 11 CAPTCHA bypass techniquesreference/BOT_DETECTION.md- Bot detection evasion strategiesreference/PASSWORD_CREDENTIAL_MANAGEMENT.md- Tool usage guide
More from transilienceai/communitytools
hackerone
HackerOne bug bounty automation - parses scope CSVs, deploys parallel pentesting agents for each asset, validates PoCs, and generates platform-ready submission reports. Use when testing HackerOne programs or preparing professional vulnerability submissions.
50reconnaissance
Domain assessment and web application mapping - subdomain discovery, port scanning, endpoint enumeration, API discovery, and attack surface analysis.
40osint
Open-source intelligence gathering - company repository enumeration, secret scanning, git history analysis, employee footprint, and code exposure discovery.
37social-engineering
Social engineering testing - phishing, pretexting, vishing, and physical security assessment techniques.
37source-code-scanning
Security-focused source code review and SAST. Scans for vulnerabilities (OWASP Top 10, CWE Top 25), CVEs in third-party dependencies/packages, hardcoded secrets, malicious code, and insecure patterns. Use when given source code, a repo path, or asked to "audit", "scan", "review" code security, or "check dependencies for CVEs".
35cve-poc-generator
CVE research, standalone PoC script and report generation. Given a CVE ID, researches NVD and advisories, generates a safe Python PoC, and writes a detailed vulnerability report.
33