authorization-testing by anshumanbh
Validate authorization failures including IDOR, privilege escalation, and missing access controls. Test by attempting unauthorized access with lower-privileged credentials. Use when testing CWE-639 (IDOR), CWE-269 (Improper Privilege Management), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-284 (Improper Access Control), CWE-285 (Improper Authorization), or CWE-425 (Direct Request / Forced Browsing) findings.
Content & Writing
234 Stars
54 Forks
Updated Jan 18, 2026, 11:38 PM
Why Use This
This skill provides specialized capabilities for anshumanbh's codebase.
Use Cases
- Developing new features in the anshumanbh repository
- Refactoring existing code to follow anshumanbh standards
- Understanding and working with anshumanbh's codebase structure
Install Guide
2 steps- 1
Skip this step if Ananke is already installed.
- 2
Skill Snapshot
Auto scan of skill assets. Informational only.
Valid SKILL.md
Checks against SKILL.md specification
Source & Community
Skill Stats
SKILL.md 461 Lines
Total Files 1
Total Size 0 B
License NOASSERTION
---
name: authorization-testing
description: Validate authorization failures including IDOR, privilege escalation, and missing access controls. Test by attempting unauthorized access with lower-privileged credentials. Use when testing CWE-639 (IDOR), CWE-269 (Improper Privilege Management), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-284 (Improper Access Control), CWE-285 (Improper Authorization), or CWE-425 (Direct Request / Forced Browsing) findings.
allowed-tools: Read, Write, Bash
---
# Authorization Testing Skill
## Purpose
Validate authorization failures by attempting actions that should be blocked based on:
- **User identity** (horizontal privilege escalation / IDOR)
- **User role/privilege level** (vertical privilege escalation)
- **Resource ownership** rules
- **Function-level access controls**
## Vulnerability Types Covered
### 1. Insecure Direct Object Reference - IDOR (CWE-639)
Access other users' resources by manipulating object IDs.
**Test Pattern:** Authenticate as User A, access User B's resource (change ID in URL/params)
**Expected:** 403 Forbidden | **Actual if vulnerable:** 200 OK
**Example:** `/api/user/456` accessed by user 123
### 2. Vertical Privilege Escalation (CWE-269, CWE-863)
Perform actions requiring higher privileges than possessed.
**Test Pattern:** Authenticate as regular user, attempt admin/privileged action
**Expected:** 403 Forbidden | **Actual if vulnerable:** 200 OK
**Examples:**
- Regular user calls `/admin/delete_user`
- User modifies their own role to admin via `/update_role`
- User accesses admin dashboard
### 3. Horizontal Privilege Escalation (CWE-639)
Access peer users' resources at same privilege level.
**Test Pattern:** Authenticate as User A (regular), access/modify User B's data (also regular)
**Expected:** 403 Forbidden | **Actual if vulnerable:** 200 OK
**Example:** User 2 modifies User 3's profile
### 4. Missing Authorization (CWE-862)
Actions execute without ANY authorization check.
**Test Pattern:** Authenticate with minimal privileges, attempt protected action
**Expected:** 403 Forbidden | **Actual if vulnerable:** 200 OK
**Example:** Unauthenticated or low-privilege access to `/api/admin/users`
### 5. Function-Level Access Control (CWE-285)
Wrong authorization logic applied to functions.
**Test Pattern:** Authenticate as user authorized for function X, attempt function Y (should be blocked)
**Expected:** 403 Forbidden | **Actual if vulnerable:** 200 OK
**Example:** Read-only user performs write operation
### 6. Direct Request / Forced Browsing (CWE-425)
Access restricted functionality by directly requesting URLs, bypassing normal navigation flow.
**Test Pattern:** Request admin/protected URL directly without proper authorization flow
**Expected:** 403 Forbidden or redirect to login | **Actual if vulnerable:** 200 OK
**Examples:**
- Direct access to `/admin/dashboard` without admin session
- Force-browsing to `/api/internal/config` endpoint
- Accessing `/reports/confidential` by guessing URL structure
## Prerequisites
- Target application running and reachable
- Test accounts based on vulnerability type:
- **IDOR/Horizontal:** 2+ regular users (same role, different accounts)
- **Vertical Escalation:** 1 regular user + 1 admin user (different roles)
- **Missing Authorization:** 1 low-privilege or unauthenticated context
- VULNERABILITIES.json with suspected authorization failures
## Testing Methodology
### Phase 1: Understand Authorization Model
Before testing, read the source code to identify:
- **Authentication mechanism** (session cookies, JWT Bearer, API key, OAuth)
- **Authorization checks** (decorators like @admin_required, middleware, guards)
- **Role/permission structure** (user, admin, moderator, etc.)
- **Resource ownership rules** (user_id checks, tenant isolation)
- **Where object identifiers appear** (path params, query params, JSON body)
**Key insight:** Each app implements authorization differently. Read the code first!
### Phase 2: Identify Test Scenarios
Map vulnerabilities to test types:
| CWE | Vulnerability | Test Type | Accounts Needed |
|-----|---------------|-----------|-----------------|
| CWE-639 | IDOR on `/api/user/<id>` | Horizontal | 2 regular users |
| CWE-269 | Missing admin check on `/update_role` | Vertical | 1 regular, 1 admin |
| CWE-862 | No authz on `/admin/dashboard` | Missing | 1 regular user |
| CWE-863 | Flawed check on `/api/profile/<id>/update` | IDOR | 2 regular users |
| CWE-284 | Generic access control bypass | Varies | Based on context |
| CWE-285 | Wrong authz logic on read-only endpoint | Function-level | Read-only + write user |
| CWE-425 | Direct URL access to `/admin/config` | Forced browsing | 1 regular user |
### Phase 3: Prepare Test Accounts
**If .securevibes/DAST_TEST_ACCOUNTS.json exists:**
```json
{
"accounts": [
{"username": "user1", "password": "Pass123!", "user_id": "123", "role": "user"},
{"username": "user2", "password": "Pass456!", "user_id": "456", "role": "user"},
{"username": "admin", "password": "Admin789!", "user_id": "1", "role": "admin"}
]
}
```
Extract credentials for:
- **Horizontal tests:** user1, user2 (both regular role)
- **Vertical tests:** user1 (regular role), admin (admin role)
**If no test accounts:**
- Test only public endpoints
- Mark authenticated paths as UNVALIDATED (insufficient accounts)
### Phase 4: Authenticate Test Users
Read application code to determine auth mechanism, then use authentication helpers from `reference/auth_patterns.py`:
```python
from reference.auth_patterns import session_based_auth, jwt_bearer_auth, api_key_auth
# Session-based (Flask, Express, Django)
session = session_based_auth(target_url, user1_username, user1_password)
response = session.get(f"{target_url}/api/resource")
# JWT Bearer (REST APIs)
headers = jwt_bearer_auth(target_url, user1_username, user1_password)
response = requests.get(f"{target_url}/api/resource", headers=headers)
# API Key
headers = api_key_auth(api_key_for_user1)
response = requests.get(f"{target_url}/api/resource", headers=headers)
```
See `reference/auth_patterns.py` for additional patterns (OAuth2, Basic auth) and customization options.
### Phase 5: Execute Authorization Tests
**Universal Pattern:**
```
1. Authenticate with LOW privilege credentials
2. Baseline: Attempt ALLOWED action → 200 OK (verify auth works)
3. Test: Attempt BLOCKED action → ???
4. Classify:
- 200 OK: VALIDATED (authorization bypass!)
- 403/401: FALSE_POSITIVE (authorization working correctly)
- Other: UNVALIDATED (unclear/error)
```
**Test Variants by Vulnerability Type:**
#### IDOR Test (Horizontal)
```python
# User A accesses User B's resource
auth_as(user_a) # user_id: 123
# Baseline: own resource
GET /api/user/123 → 200 OK ✓
# Test: other user's resource
GET /api/user/456 → ???
# Expected: 403 Forbidden
# Actual if vulnerable: 200 OK with user 456's data
# Classification: VALIDATED (CWE-639)
```
#### Vertical Privilege Escalation
```python
# Regular user performs admin action
auth_as(regular_user) # role: user
# Baseline: allowed action
GET /dashboard → 200 OK ✓
# Test: admin action
POST /admin/delete_user {"user_id": 123} → ???
# Expected: 403 Forbidden
# Actual if vulnerable: 200 OK, user deleted
# Classification: VALIDATED (CWE-269)
```
#### Role Self-Modification
```python
# User escalates own role
auth_as(regular_user) # user_id: 123, role: user
# Baseline: check current role
GET /api/user/123 → {"role": "user"} ✓
# Test: modify own role
POST /update_role {"user_id": 123, "role": "admin"} → ???
# Expected: 403 Forbidden
# Actual if vulnerable: 200 OK, role changed to admin
# Classification: VALIDATED (CWE-269)
```
#### Cross-User Resource Modification
```python
# User A modifies User B's data
auth_as(user_a) # user_id: 123
# Baseline: modify own profile
POST /api/profile/123/update {"email": "[email protected]"} → 200 OK ✓
# Test: modify other user's profile
POST /api/profile/456/update {"email": "[email protected]"} → ???
# Expected: 403 Forbidden
# Actual if vulnerable: 200 OK, user 456's profile modified
# Classification: VALIDATED (CWE-639)
```
### Phase 6: Capture Evidence
Capture minimal structured evidence with redaction and truncation:
```json
{
"status": "VALIDATED|FALSE_POSITIVE|PARTIAL|UNVALIDATED",
"baseline": {
"url": "http://target.com/api/user/123",
"method": "GET",
"status": 200,
"response_snippet": "{\"id\": 123, \"role\": \"user\"}",
"response_hash": "sha256:abc123...",
"truncated": false,
"original_size_bytes": 58
},
"test": {
"url": "http://target.com/update_role",
"method": "POST",
"payload": "{\"user_id\": 123, \"role\": \"admin\"}",
"status": 200,
"response_snippet": "{\"success\": true}",
"response_hash": "sha256:def456...",
"truncated": false,
"original_size_bytes": 18
},
"evidence": "User 123 escalated own role from 'user' to 'admin'"
}
```
**Evidence Fields:**
| Field | Required | Description |
|-------|----------|-------------|
| `response_snippet` | Yes | First 8KB of response body (text only) |
| `response_hash` | Yes | SHA-256 hash of complete response (format: `sha256:...`) |
| `truncated` | Recommended | `true` if response exceeded 8KB limit, `false` otherwise |
| `original_size_bytes` | Recommended | Full response size before truncation |
**Truncation Pattern:**
- Limit response snippets to 8KB (8192 bytes) maximum
- If response exceeds limit, truncate and set `truncated: true`
- Always compute hash of **complete** response (before truncation)
- Include `original_size_bytes` to show actual response size
**Example with Large Response:**
```json
{
"baseline": {
"url": "http://target.com/api/users/export",
"method": "GET",
"status": 200,
"response_snippet": "[truncated 8KB of 250KB JSON array...]",
"response_hash": "sha256:789abc...",
"truncated": true,
"original_size_bytes": 256000
}
}
```
**CRITICAL Redaction Requirements:**
Redact these sensitive field types from response snippets:
- Passwords, API keys, secrets, tokens
- SSN, credit card numbers, CVV codes
- Email addresses (in some contexts)
- Phone numbers, addresses
- Session IDs, JWTs, OAuth tokens
- Any PII or credentials
**Redaction Example:**
```json
// Before redaction
{"user": {"password": "MySecret123", "ssn": "123-45-6789"}}
// After redaction
{"user": {"password": "[REDACTED]", "ssn": "[REDACTED]"}}
```
### Phase 7: Classification Logic
```python
if response.status_code == 200:
if action_should_be_blocked:
return "VALIDATED" # Authorization bypass confirmed!
else:
return "FALSE_POSITIVE" # Action was allowed (not a vulnerability)
elif response.status_code in [401, 403]:
return "FALSE_POSITIVE" # Authorization working correctly
elif mixed_results_requiring_manual_review:
return "PARTIAL" # Some tests passed, others failed - needs human review
else:
return "UNVALIDATED" # Ambiguous result (error, timeout, etc.)
```
**Status Type Definitions:**
| Status | Meaning | When to Use |
|--------|---------|-------------|
| **VALIDATED** | Vulnerability confirmed | 200 OK received when accessing unauthorized resource/action |
| **FALSE_POSITIVE** | Security working correctly | 401/403 received, access properly denied |
| **PARTIAL** | Mixed results | Some operations succeeded, others failed; requires manual review |
| **UNVALIDATED** | Test inconclusive | Error, timeout, or ambiguous response preventing classification |
**PARTIAL Status Criteria:**
- Multiple test variants with inconsistent results (some 200 OK, some 403)
- Partial authorization bypass (e.g., read succeeds but write denied)
- Role-dependent results that don't clearly indicate vulnerability
- Complex multi-step operations with mixed outcomes
**Example PARTIAL Scenario:**
```python
# Testing /api/document/{id} endpoint
GET /api/document/456 → 200 OK (IDOR on read)
PUT /api/document/456 → 403 Forbidden (write protected)
DELETE /api/document/456 → 403 Forbidden (delete protected)
# Classification: PARTIAL
# Reason: Read access bypassed (IDOR), but modification/deletion properly blocked
# Requires manual review to assess actual risk
```
## Output Guidelines
**CRITICAL: Keep responses concise (1-4 sentences)**
**Format for VALIDATED (any authz failure):**
```
Authorization bypass on [endpoint] - [low_priv_user] successfully performed [high_priv_action] (200 OK). [Impact]. Evidence: [file_path]
```
**Format for FALSE_POSITIVE:**
```
Authorization check working on [endpoint] - access properly denied with [status_code]. Evidence: [file_path]
```
**Format for PARTIAL:**
```
Partial authorization bypass on [endpoint] - [operation1] succeeded (200 OK) but [operation2] blocked ([status_code]). Requires manual review. Evidence: [file_path]
```
**Format for UNVALIDATED:**
```
Authorization test incomplete on [endpoint] - [reason]. Evidence: [file_path]
```
**Examples:**
**IDOR (horizontal):**
```
Authorization bypass on /api/user - user 123 accessed user 456's PII (200 OK). Exposed email, phone, address.
```
**Privilege escalation (vertical):**
```
Authorization bypass on /update_role - regular user escalated to admin role (200 OK). Full system compromise possible.
```
**Cross-user modification:**
```
Authorization bypass on /api/profile/1/update - user 2 modified admin profile (200 OK). Account takeover risk.
```
**What NOT to do:**
- ❌ Don't repeat information from the evidence file
- ❌ Don't add CVSS scores unless requested
- ❌ Don't provide recommendations unless requested
- ❌ Don't write paragraphs of analysis
- ❌ Don't format as "reports" with sections
## CWE Mapping
This skill validates:
- **CWE-639:** IDOR / Authorization Bypass Through User-Controlled Key
- **CWE-269:** Improper Privilege Management
- **CWE-862:** Missing Authorization
- **CWE-863:** Incorrect Authorization Logic
- **CWE-284:** Improper Access Control (parent category)
- **CWE-285:** Improper Authorization
- **CWE-425:** Direct Request / Forced Browsing
## Safety Rules
**Skill Responsibilities:**
- ONLY test against --target-url provided by user
- STOP immediately if unexpected damage occurs
- NO exfiltration of real user data (capture evidence, not actual PII)
- Redact sensitive data from all evidence
- Log all test actions (optional: `.securevibes/dast_audit.log`)
**Scanner Responsibilities (handled at infrastructure level):**
- Production URL detection (blocks testing `.com`, `.net`, `api.`, `www.` domains)
- User confirmation prompts before testing non-production targets
- Target reachability checks before starting tests
- `--allow-production` flag requirement for production testing
**Important:** This skill focuses on testing methodology. Safety gates (production detection, confirmation prompts, reachability checks) are implemented by the SecureVibes scanner, not the skill itself.
## Error Handling
- Target unreachable → Mark all UNVALIDATED
- Test accounts missing → Test only public endpoints, mark others UNVALIDATED
- Authentication fails → UNVALIDATED with reason
- Timeout exceeded → UNVALIDATED with timeout reason
- Unexpected error → Log error, continue with next vulnerability
## Examples
For comprehensive vulnerability-specific examples with code and evidence, see `examples.md`:
- **Horizontal Escalation (IDOR)**: Sequential IDs, UUIDs, nested resources, cross-account modification
- **Vertical Privilege Escalation**: Role self-modification, admin function access
- **Missing Authorization**: Unauthenticated admin endpoints
- **Forced Browsing**: Direct URL access to protected resources
- **Test Result Types**: FALSE_POSITIVE, UNVALIDATED scenarios
### Quick Reference Examples
**IDOR Test (Horizontal)**:
```
User 123 → GET /api/user/456 → 200 OK with user 456's data
Classification: VALIDATED (CWE-639)
```
**Vertical Escalation**:
```
Regular user → POST /update_role {"user_id": self, "role": "admin"} → 200 OK
Classification: VALIDATED (CWE-269)
```
## Reference Implementations
See `reference/` directory for implementation examples:
- **`auth_patterns.py`**: Reusable authentication functions (session, JWT, API key, OAuth2, Basic)
- **`validate_idor.py`**: Complete authorization testing script with redaction and classification
- **`README.md`**: Usage guidance and adaptation notes
These are reference implementations to adapt — not drop-in scripts. Each application requires tailored logic.
### Additional Resources
- [Agent Skills Guide](../../../docs/references/AGENT_SKILLS_GUIDE.md) - Comprehensive skill development guide
- [Claude Agent SDK Guide](../../../docs/references/claude-agent-sdk-guide.md) - Complete SDK documentation
- [DAST Guide](../../../docs/DAST_GUIDE.md) - DAST validation workflow
Name Size