// Find authentication and session vulnerabilities. Use when user asks about auth bypass, session issues, login security, or token problems.
Find Business Logic vulnerabilities in captured traffic. Use when user asks about payment bypass, race conditions, workflow abuse, or application logic flaws.
Find payment callback and webhook vulnerabilities. Use when user asks about payment security, callback tampering, hash validation, or transaction manipulation.
Find checksum and signature vulnerabilities. Use when user asks about hash validation, signature bypass, checksum manipulation, or cryptographic weaknesses.
Find enumerable endpoints that leak data through iteration. Use when user asks about data scraping, bulk data access, or iterating through records.
Find IDOR (Insecure Direct Object Reference) vulnerabilities in captured traffic. Use when user asks about authorization issues, sequential IDs, or accessing other users' data.
Find insecure configurations in HTTP traffic. Use when user asks about security headers, cookie security, CORS issues, or transport security.
| name | mitm-find-auth |
| description | Find authentication and session vulnerabilities. Use when user asks about auth bypass, session issues, login security, or token problems. |
Analyze the mitmproxy dump (log.txt) for auth issues for: $ARGUMENTS
Requires:
log.txtin the current directory. If it's missing, capture traffic first:mitmdump --set flow_detail=3 2>&1 | tee log.txt
Real examples from bounties:
Search patterns:
grep -iE '(reset|forgot|recover|password).*token' log.txt
grep -iE 'token=[a-zA-Z0-9]{10,}' log.txt
Real examples:
role=user to role=admin in requestisAdmin=false to isAdmin=trueSearch patterns:
grep -iE '(role|permission|privilege|isAdmin|is_admin|user_type|account_type)[=:]["'\'']?\w+' log.txt
Real examples:
Search patterns:
grep -iE '(edit|update|delete|modify).*comment' log.txt
grep -iE 'action=(edit|delete|update)' log.txt
Real examples:
Search patterns:
grep -iE '(download|file|document|attachment|invoice|receipt)' log.txt
grep -iE '\.(pdf|doc|xlsx?|csv)' log.txt
Patterns to check:
- Session token in URL (session_id=xxx in query params)
- JWT with weak/no signature (alg: none attack)
- Token doesn't change after password change
- Token valid after logout
- Predictable session tokens
Search patterns:
grep -iE 'session[_-]?(id|token)=' log.txt
grep -oE 'eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]*' log.txt # JWT
| Category | Severity | What to Look For |
|---|---|---|
| Admin access without auth | CRITICAL | Admin endpoints returning 200 without token |
| Password reset token abuse | HIGH | Tokens that don't expire/invalidate |
| Privilege escalation | HIGH | Role params that can be modified |
| Session fixation | HIGH | Session ID in URL, unchanging tokens |
| Missing auth on sensitive endpoints | HIGH | PII/financial data without auth |
| IDOR via auth context | MEDIUM | Actions performed as different user |
| Weak token entropy | MEDIUM | Short or predictable tokens |
| Auth bypass via response manipulation | MEDIUM | Client-side auth checks |
# Find login/auth endpoints
grep -iE '(login|signin|authenticate|oauth|token|session)' log.txt
# Find logout endpoints
grep -iE '(logout|signout|revoke)' log.txt
# Find password flows
grep -iE '(password|reset|forgot|recover|change)' log.txt
# Extract bearer tokens
grep -oE 'Bearer [a-zA-Z0-9._-]+' log.txt | sort -u
# Extract cookies
grep -oE 'Cookie:.*' log.txt | head -20
# Check for JWT
grep -oE 'eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+' log.txt
# Test if token works after logout (replay attack)
curl -H "Authorization: Bearer OLD_TOKEN" "https://target.com/api/profile"
# Test with modified role
curl -X POST "https://target.com/api/update" -d '{"role":"admin"}'
# Test admin endpoint with user token
curl -H "Authorization: Bearer USER_TOKEN" "https://target.com/api/admin/users"
# Test reset token reuse
curl "https://target.com/reset?token=USED_TOKEN"
# Test reset token after email change
# (token from old email should be invalid)
1. Attacker requests password reset for victim
2. Victim changes email before using reset link
3. Old reset link still works → Attacker takes over account
1. User captures their profile update request
2. Adds "role": "admin" or "isAdmin": true
3. Server doesn't validate, grants admin access
1. User A creates comment on their post
2. User B captures edit request: POST /edit_comment?id=123
3. User B replays with different comment_id → edits User A's comment
## AUTH Finding: [Brief Description]
**Endpoint**: `METHOD https://target.com/path`
**Type**: [Password Reset|Privilege Escalation|Session|Access Control]
**Severity**: [CRITICAL|HIGH|MEDIUM|LOW]
**Vulnerable Flow**:
1. Step one
2. Step two
3. Exploit step
**Evidence**:
[Request/response snippets]
**Impact**:
- Account takeover
- Unauthorized access
- Data exposure
**Test Command**:
curl -X METHOD 'https://target.com/...' -H '...'
**Remediation**:
- Invalidate tokens on sensitive actions
- Server-side role validation
- Rate limit sensitive endpoints