// Audit authentication and session-management code for common issues — weak JWT config, session fixation, password-handling flaws, insecure cookies, broken OAuth flows, and missing auth checks on routes. Use when the user asks to review auth code or when source-aware scanning targets login/session/token handling.
| name | audit-auth |
| description | Audit authentication and session-management code for common issues — weak JWT config, session fixation, password-handling flaws, insecure cookies, broken OAuth flows, and missing auth checks on routes. Use when the user asks to review auth code or when source-aware scanning targets login/session/token handling. |
| license | MIT |
| allowed-tools | ["read_file","grep","glob","bash","report_finding"] |
You are auditing authentication and session-management code. Your goal is
to identify concrete, reproducible vulnerabilities — not style nits. Each
issue you raise must map to a CWE and a specific file + line range, and
must be persisted via the report_finding tool.
Work through these in order; some targets will be irrelevant (skip and say so in your final summary rather than fabricating findings):
alg=none accepted by the verifier (CWE-327)iss, aud, exp validation (CWE-345)HttpOnly, Secure, or SameSite (CWE-1004)state / PKCE (CWE-352 CSRF on auth flow)redirect_uri not validated against allowlistreq.body.role)glob to find auth-related files. Typical patterns:
**/auth/**, **/session*, **/login*, **/oauth*, **/middleware*, **/jwt*alg.*none, jwt.Parse[^A-Z] (missing key func)md5|sha1 in a hashing contextbcrypt\.CompareHashAndPassword — good; absence of it near a login handler — suspicioushttpOnly\s*:\s*false, secure\s*:\s*falseres.redirect.*req\. (open redirect pattern)report_finding with:
severity: critical | high | medium | lowtitle: short, specific (e.g., "JWT verifier accepts alg=none")cwe_id: CWE-xxxsource_file: relative pathdescription: 1-3 sentences of what + whyremediation: 1-2 sentences of fixreport_finding — do NOT just enumerate
in your final text message.Turn suspected OS command injection (a parameter that lands in a shell or a child process) into proof of remote code execution via an OAST callback, plus one safe demonstration of follow-on impact (read a file, list users, env dump). Use when a parameter feeds an exec/spawn/system call, when payloads with $(), `` ` ``, `;`, `|`, `&&` cause response differences, or when audit flags CWE-78 / CWE-77. Never sends destructive commands.
Turn a suspected or confirmed authentication/authorization bypass into impact — admin access, session takeover, privilege escalation, or cross-tenant read. Use when you find a missing auth check on a route, a weak JWT verifier, a session cookie that's predictable or reusable across users, a privilege field client-controllable, or an audit finding tagged CWE-287/CWE-863/CWE-639. Walks from probe to admin-equivalent capability and persists a finding with the highest-impact action you reached.
When you find an Insecure Direct Object Reference (a URL/body parameter that lets you read or write another user's object), quantify the blast radius — how many records reachable, what data class, whether write is also unauthorized — and persist a finding sized by real impact rather than by the existence of the flaw. Use when an ID parameter (numeric, UUID, hash, slug) changes the response content across IDs, when CWE-639/CWE-284 was flagged, or when an audit finding hints at object-level access control gaps.
Escalate a suspected or confirmed SQL injection into proof-level data exfiltration. Use when you spot an SQL error in a response, a record from a prior scan flagged a SQLi pattern, or boolean/time differentials indicate the payload reaches the query parser. Walks from probe → confirm → enumerate → exfil with payload-class-aware techniques (in-band, blind boolean, blind time, blind OAST) and ends by persisting a concrete finding with the leaked sample.
Escalate a suspected or confirmed Server-Side Request Forgery into proof of internal-service access — cloud metadata, internal-only APIs, database greetings, or redacted-but-fetchable HTTP. Use when a parameter takes a URL (image proxy, webhook, fetcher, URL preview, PDF render) and the server reaches outbound on your behalf, or when an audit finding tags CWE-918. Confirms reachability via OAST, then walks targeted internal endpoints, ending with a finding sized by the highest-value asset reached.
Deduplicate, prioritize, and sanity-check a list of raw scanner findings. Use after a dynamic scan completes or when the user asks to review a findings dump. Produces a triaged list with severity adjustments, false-positive calls, and exploitability notes.