// Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.
| name | sast-authorization-testing |
| description | Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns. |
| allowed-tools | Read, Grep, Glob |
Investigate authorization failures in source code by tracing:
User can access other users' resources by manipulating object IDs.
Code Patterns to Find:
user_id == current_user.id comparisonsExample Vulnerable Code:
@app.route('/api/user/<int:user_id>')
def get_user(user_id):
return User.query.get(user_id).to_dict() # No check if current user can access
User performs actions requiring higher privileges.
Code Patterns to Find:
@admin_required or @role_required decoratorsExample Vulnerable Code:
@app.route('/admin/delete_user', methods=['POST'])
def delete_user(): # No @admin_required
User.query.filter_by(id=request.json['id']).delete()
Actions execute without ANY authorization check.
Code Patterns to Find:
Wrong authorization logic applied.
Code Patterns to Find:
Search for affected routes/endpoints from PR changes:
Grep for: @app.route, @router, def handle_, async def
Look for authorization decorators/middleware:
Patterns: @require_auth, @login_required, @admin_only
@permission_required, @role_required
authorize!, can?, has_permission
Search for ownership checks in handlers:
Patterns: current_user.id ==, request.user.id
.filter(user_id=, owner_id=
belongs_to?, owned_by
Use github_org_code_search to find:
Trace from user input → database query:
TRUE_POSITIVE:
FALSE_POSITIVE:
UNVALIDATED:
### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL
### Evidence
- **Location**: file:line
- **Issue**: Description of the authorization gap
- **Code**: Relevant code snippet
### Attack Scenario
How an attacker could exploit this:
1. [Steps to reproduce]
### Recommendations
- [Specific fix with code example]
Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.
Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.
Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.
Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.
Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.