Auth Bypass Tester
Comprehensive authentication and authorization bypass testing including session hijacking, privilege escalation, JWT manipulation, and access control verification
git clone --depth 1 https://github.com/PramodDutta/qaskills /tmp/auth-bypass-tester && cp -r /tmp/auth-bypass-tester/seed-skills/auth-bypass-tester ~/.claude/skills/auth-bypass-testerSKILL.md
# Auth Bypass Tester Skill
You are an expert security tester specializing in authentication and authorization bypass testing. When the user asks you to write, review, or plan auth bypass tests, follow these detailed instructions to systematically identify vulnerabilities in authentication flows, session management, access control enforcement, and token-based security mechanisms.
## Core Principles
1. **Defense in depth verification** -- Never trust a single layer of authentication. Test that every access point independently verifies identity, authorization, and session validity rather than relying on upstream checks alone.
2. **Least privilege enforcement** -- Verify that every endpoint, resource, and action enforces the minimum required permissions. Users should only access what they explicitly need, and the system should deny by default.
3. **Stateless token integrity** -- JWTs and other stateless tokens must be cryptographically verified on every request. Test that the server rejects tampered, expired, or algorithmically downgraded tokens without exception.
4. **Session lifecycle completeness** -- Test the entire session lifecycle from creation through destruction. Ensure that logout actually invalidates server-side state, that session fixation is impossible, and that concurrent session policies are enforced.
5. **Indirect object reference protection** -- Every resource accessed by user-supplied identifiers must verify that the requesting user has authorization to access that specific resource. Predictable IDs without authorization checks are critical vulnerabilities.
6. **Fail-secure behavior** -- When authentication or authorization components fail, error out, or encounter unexpected input, the system must deny access rather than granting it. Test edge cases where parsing failures might bypass checks.
7. **Cross-origin and cross-context isolation** -- Verify that authentication state cannot be leveraged across unintended origins, subdomains, or application contexts. CSRF protections, SameSite cookie attributes, and CORS policies must be correctly configured.
## Project Structure
```
tests/
security/
auth-bypass/
direct-access.spec.ts # Unauthenticated direct URL access
role-based-access.spec.ts # RBAC enforcement tests
jwt-manipulation.spec.ts # JWT token tampering tests
session-management.spec.ts # Session fixation and hijacking
idor.spec.ts # Insecure direct object references
cookie-manipulation.spec.ts # Cookie tampering and theft
oauth-flow.spec.ts # OAuth/OIDC flow exploitation
api-auth.spec.ts # API endpoint auth verification
csrf.spec.ts # Cross-site request forgery
fixtures/
auth-helpers.ts # Authentication utility functions
token-factory.ts # JWT generation and manipulation
user-roles.ts # Test user role definitions
data/
test-users.json # Test user credentials by role
endpoint-matrix.json # Endpoint-to-role authorization map
playwright.config.ts
```
## Configuration
```typescript
// playwright.config.ts
import { defineConfig } from '@playwright/test';
export default defineConfig({
testDir: './tests/security/auth-bypass',
fullyParallel: false, // Sequential execution prevents session interference
retries: 0, // Security tests must not retry -- failures indicate real vulnerabilities
timeout: 30_000,
use: {
baseURL: process.env.TARGET_URL || 'http://localhost:3000',
extraHTTPHeaders: {
'X-Test-Security': 'auth-bypass-suite',
},
trace: 'retain-on-failure',
screenshot: 'only-on-failure',
},
projects: [
{
name: 'auth-bypass',
testMatch: '**/*.spec.ts',
},
],
});
```
```typescript
// tests/security/fixtures/user-roles.ts
export interface TestUser {
email: string;
password: string;
role: string;
expectedPermissions: string[];
}
export const TEST_USERS: Record<string, TestUser> = {
admin: {
email: 'admin@testapp.local',
password: process.env.TEST_ADMIN_PASSWORD || 'Admin!SecurePass123',
role: 'admin',
expectedPermissions: ['read', 'write', 'delete', 'manage-users', 'view-audit-log'],
},
manager: {
email: 'manager@testapp.local',
password: process.env.TEST_MANAGER_PASSWORD || 'Manager!SecurePass123',
role: 'manager',
expectedPermissions: ['read', 'write', 'delete'],
},
user: {
email: 'user@testapp.local',
password: process.env.TEST_USER_PASSWORD || 'User!SecurePass123',
role: 'user',
expectedPermissions: ['read', 'write'],
},
readonly: {
email: 'readonly@testapp.local',
password: process.env.TEST_READONLY_PASSWORD || 'ReadOnly!SecurePass123',
role: 'readonly',
expectedPermissions: ['read'],
},
};
export const ENDPOINT_AUTH_MATRIX: Record<string, string[]> = {
'GET /api/admin/users': ['admin'],
'POST /api/admin/users': ['admin'],
'DELETE /api/admin/users/:id': ['admin'],
'GET /api/reports': ['admin', 'manager'],
'POST /api/reports': ['admin', 'manager'],
'GET /api/documents': ['admin', 'manager', 'user', 'readonly'],
'POST /api/documents': ['admin', 'manager', 'user'],
'DELETE /api/documents/:id': ['admin', 'manager'],
'GET /api/audit-log': ['admin'],
'PATCH /api/users/:id/role': ['admin'],
};
```
## Direct URL Access Without Authentication
The most fundamental auth bypass test verifies that unauthenticated users cannot access protected resources by directly navigating to their URLs.
```typescript
// tests/security/auth-bypass/direct-access.spec.ts
import { test, expect } from '@playwright/test';
const PROTECTED_PAGES = [
'/dashboard',
'/admin',
'/admin/users',
'/settings',
'/profile',
'/reports',
'/billing',
'/api/admin/users',
'/api/reports/export',
];
const PROTECTED_API_ENDPOINTS = [
{ method: 'GET', path: '/api/users/me'Automated accessibility testing with axe-core integrated into CI pipelines, including custom rule configuration, issue prioritization, and remediation guidance.
Validating A/B test implementations including traffic splitting accuracy, statistical significance calculation, metric tracking, and experiment cleanup.
Comprehensive WCAG compliance and accessibility testing covering ARIA, keyboard navigation, screen readers, color contrast, and automated a11y validation.
Comprehensive WCAG 2.1 AA compliance testing combining automated axe-core scans with manual keyboard navigation, screen reader compatibility, and focus management verification
American Fuzzy Lop Plus Plus mutation-based fuzz testing for finding crashes, hangs, and security vulnerabilities in binary programs.
Fast Rust-based headless browser automation CLI with Node.js fallback for AI agents, featuring navigation, clicking, typing, snapshots, and structured commands optimized for agent workflows.
AI-first testing methodology where autonomous agents plan, generate, execute, and maintain test suites with minimal human intervention, covering agent orchestration, feedback loops, and intelligent test prioritization.
Comprehensive evaluation patterns for AI agents including multi-turn conversation testing, LLM-as-judge frameworks, benchmark suites, regression detection, and systematic eval pipelines for measuring agent quality and safety.