تشغيل أي مهارة في Manus بنقرة واحدة

$pwd:

audit-auth

Name: Audit Auth
Author: vigolium

// Audit authentication and session-management code for common issues — weak JWT config, session fixation, password-handling flaws, insecure cookies, broken OAuth flows, and missing auth checks on routes. Use when the user asks to review auth code or when source-aware scanning targets login/session/token handling.

تشغيل في Manus

$ git log --oneline --stat

stars:٥٨٦

forks:٩٠

updated:٢٣ مايو ٢٠٢٦ في ١٦:٤٣

SKILL.md

readonly

name	audit-auth
description	Audit authentication and session-management code for common issues — weak JWT config, session fixation, password-handling flaws, insecure cookies, broken OAuth flows, and missing auth checks on routes. Use when the user asks to review auth code or when source-aware scanning targets login/session/token handling.
license	MIT
allowed-tools	["read_file","grep","glob","bash","report_finding"]

Authentication & Session Code Audit

You are auditing authentication and session-management code. Your goal is to identify concrete, reproducible vulnerabilities — not style nits. Each issue you raise must map to a CWE and a specific file + line range, and must be persisted via the report_finding tool.

Scope — what to look for

Work through these in order; some targets will be irrelevant (skip and say so in your final summary rather than fabricating findings):

1. JWT / token handling

alg=none accepted by the verifier (CWE-327)
Secret reused for HMAC and RSA (key confusion, CWE-347)
Hard-coded secrets or secrets pulled from non-secret sources
Missing iss, aud, exp validation (CWE-345)
Tokens logged at INFO level (CWE-532)

2. Session management

Session IDs derived from user input or predictable sources (CWE-330)
No session rotation on privilege change (CWE-384 session fixation)
Cookies missing HttpOnly, Secure, or SameSite (CWE-1004)
Long or unbounded session lifetime

3. Password handling

Plaintext storage or fast hashes (MD5/SHA1/SHA256 without KDF) (CWE-916)
Passwords in URL query strings, logs, or error messages
Timing-unsafe comparison of password hashes (CWE-208)
No rate limiting on login (CWE-307)

4. OAuth / OIDC

Missing state / PKCE (CWE-352 CSRF on auth flow)
Open redirect on callback (CWE-601)
redirect_uri not validated against allowlist
Token exposure via referer or fragment-in-GET

5. Route-level auth

Handlers that forget to call the auth middleware
Role checks on client-supplied fields (e.g., trusting req.body.role)
IDOR: authorization based on URL param without ownership check (CWE-639)

Recommended workflow

Inventory: use glob to find auth-related files. Typical patterns:
- **/auth/**, **/session*, **/login*, **/oauth*, **/middleware*, **/jwt*
Read the entry points: login handler, session middleware, token verifier.
Grep for red flags:
- alg.*none, jwt.Parse[^A-Z] (missing key func)
- md5|sha1 in a hashing context
- bcrypt\.CompareHashAndPassword — good; absence of it near a login handler — suspicious
- httpOnly\s*:\s*false, secure\s*:\s*false
- res.redirect.*req\. (open redirect pattern)
For each concrete finding, call report_finding with:
- severity: critical | high | medium | low
- title: short, specific (e.g., "JWT verifier accepts alg=none")
- cwe_id: CWE-xxx
- source_file: relative path
- description: 1-3 sentences of what + why
- remediation: 1-2 sentences of fix

Output expectations

At least one line of summary per file audited (even if clean).
Every finding persisted via report_finding — do NOT just enumerate in your final text message.
If you run out of context (very large codebase), audit the most critical paths first: JWT verification, session creation, login handler. Skip admin panels and internal tools unless explicitly in scope.
Do NOT flag speculative issues ("this could theoretically be…") — only concrete code paths with file + line.

related-skills.json

نفس المستودع

command-injection-rce.md

from "vigolium/vigolium"

Turn suspected OS command injection (a parameter that lands in a shell or a child process) into proof of remote code execution via an OAST callback, plus one safe demonstration of follow-on impact (read a file, list users, env dump). Use when a parameter feeds an exec/spawn/system call, when payloads with $(), `` ` ``, `;`, `|`, `&&` cause response differences, or when audit flags CWE-78 / CWE-77. Never sends destructive commands.

2026-05-23586

escalate-auth-bypass.md

from "vigolium/vigolium"

Turn a suspected or confirmed authentication/authorization bypass into impact — admin access, session takeover, privilege escalation, or cross-tenant read. Use when you find a missing auth check on a route, a weak JWT verifier, a session cookie that's predictable or reusable across users, a privilege field client-controllable, or an audit finding tagged CWE-287/CWE-863/CWE-639. Walks from probe to admin-equivalent capability and persists a finding with the highest-impact action you reached.

2026-05-23586

idor-blast-radius.md

from "vigolium/vigolium"

When you find an Insecure Direct Object Reference (a URL/body parameter that lets you read or write another user's object), quantify the blast radius — how many records reachable, what data class, whether write is also unauthorized — and persist a finding sized by real impact rather than by the existence of the flaw. Use when an ID parameter (numeric, UUID, hash, slug) changes the response content across IDs, when CWE-639/CWE-284 was flagged, or when an audit finding hints at object-level access control gaps.

2026-05-23586

sqli-to-data-exfil.md

from "vigolium/vigolium"

Escalate a suspected or confirmed SQL injection into proof-level data exfiltration. Use when you spot an SQL error in a response, a record from a prior scan flagged a SQLi pattern, or boolean/time differentials indicate the payload reaches the query parser. Walks from probe → confirm → enumerate → exfil with payload-class-aware techniques (in-band, blind boolean, blind time, blind OAST) and ends by persisting a concrete finding with the leaked sample.

2026-05-23586

ssrf-to-internal-service-breach.md

from "vigolium/vigolium"

Escalate a suspected or confirmed Server-Side Request Forgery into proof of internal-service access — cloud metadata, internal-only APIs, database greetings, or redacted-but-fetchable HTTP. Use when a parameter takes a URL (image proxy, webhook, fetcher, URL preview, PDF render) and the server reaches outbound on your behalf, or when an audit finding tags CWE-918. Confirms reachability via OAST, then walks targeted internal endpoints, ending with a finding sized by the highest-value asset reached.

2026-05-23586

triage-finding.md

from "vigolium/vigolium"

Deduplicate, prioritize, and sanity-check a list of raw scanner findings. Use after a dynamic scan completes or when the user asks to review a findings dump. Produces a triaged list with severity adjustments, false-positive calls, and exploitability notes.

2026-05-23586

package.json

"author": "vigolium"

"repository": "vigolium/vigolium"

فتح مستودع GitHub عرض مستودعات المنشئ

$ install --global

$ download --local

تشغيل في Manus

$ useful --forSOC

محللو أمن المعلوماتمهن الحاسوب والرياضيات15-1212L4

Authentication & Session Code Audit

Scope — what to look for

Work through these in order; some targets will be irrelevant (skip and say so in your final summary rather than fabricating findings):

1. JWT / token handling

alg=none accepted by the verifier (CWE-327)

Secret reused for HMAC and RSA (key confusion, CWE-347)

Hard-coded secrets or secrets pulled from non-secret sources

Missing iss, aud, exp validation (CWE-345)

Tokens logged at INFO level (CWE-532)

2. Session management

Session IDs derived from user input or predictable sources (CWE-330)

No session rotation on privilege change (CWE-384 session fixation)

Cookies missing HttpOnly, Secure, or SameSite (CWE-1004)

Long or unbounded session lifetime

3. Password handling

Plaintext storage or fast hashes (MD5/SHA1/SHA256 without KDF) (CWE-916)

Passwords in URL query strings, logs, or error messages

Timing-unsafe comparison of password hashes (CWE-208)

No rate limiting on login (CWE-307)

4. OAuth / OIDC

Missing state / PKCE (CWE-352 CSRF on auth flow)

Open redirect on callback (CWE-601)

redirect_uri not validated against allowlist

Token exposure via referer or fragment-in-GET

5. Route-level auth

Handlers that forget to call the auth middleware

Role checks on client-supplied fields (e.g., trusting req.body.role)

IDOR: authorization based on URL param without ownership check (CWE-639)

Recommended workflow

Inventory: use glob to find auth-related files. Typical patterns:

**/auth/**, **/session*, **/login*, **/oauth*, **/middleware*, **/jwt*

Read the entry points: login handler, session middleware, token verifier.

Grep for red flags:

alg.*none, jwt.Parse[^A-Z] (missing key func)
md5|sha1 in a hashing context
bcrypt\.CompareHashAndPassword — good; absence of it near a login handler — suspicious
httpOnly\s*:\s*false, secure\s*:\s*false
res.redirect.*req\. (open redirect pattern)

For each concrete finding, call report_finding with:

severity: critical | high | medium | low
title: short, specific (e.g., "JWT verifier accepts alg=none")
cwe_id: CWE-xxx
source_file: relative path
description: 1-3 sentences of what + why
remediation: 1-2 sentences of fix

Output expectations

At least one line of summary per file audited (even if clean).

Every finding persisted via report_finding — do NOT just enumerate in your final text message.

If you run out of context (very large codebase), audit the most critical paths first: JWT verification, session creation, login handler. Skip admin panels and internal tools unless explicitly in scope.

Do NOT flag speculative issues ("this could theoretically be…") — only concrete code paths with file + line.

audit-auth

Authentication & Session Code Audit

Scope — what to look for

1. JWT / token handling

2. Session management

3. Password handling

4. OAuth / OIDC

5. Route-level auth

Recommended workflow

Output expectations

المزيد من هذا المستودع

المزيد من هذا المستودع

Authentication & Session Code Audit

Scope — what to look for

1. JWT / token handling

2. Session management

3. Password handling

4. OAuth / OIDC

5. Route-level auth

Recommended workflow

Output expectations