Auth Audit Skill
Overview
Comprehensive audit of authentication and authorization implementations.
Audit Categories
| Category | Checks |
|---|---|
| JWT | Signing algo, expiration, refresh, storage |
| Sessions | Storage, expiry, regeneration, fixation |
| OAuth2 | PKCE, state param, redirect validation |
| Passwords | Hashing algo, strength rules, reset flow |
| MFA | Implementation, backup codes, recovery |
Workflow
- •Detect auth implementation (JWT, sessions, OAuth)
- •Scan for known anti-patterns
- •Verify cryptographic choices
- •Check token/session lifecycle
- •Audit authorization logic (RBAC, ABAC)
Common Vulnerabilities
- •JWT signed with
nonealgorithm - •JWT secret too short (< 256 bits)
- •No token expiration or too long
- •Refresh tokens stored in localStorage
- •Session fixation after login
- •Missing CSRF protection
- •OAuth without PKCE for public clients
- •Missing
stateparameter in OAuth flow