testing-api-authentication-weaknesses

Featured

Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token validation assessment, credential security testing, or API auth bypass.

API & Backend 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Testing API Authentication Weaknesses ## When to Use - Assessing REST API authentication mechanisms for bypass vulnerabilities before production deployment - Testing JWT token implementation for common weaknesses (none algorithm, key confusion, missing expiration) - Evaluating whether all API endpoints enforce authentication or if some are unintentionally exposed - Testing API key generation, storage, and rotation mechanisms for predictability or leakage - Validating session management including token expiration, revocation, and refresh token security **Do not use** without written authorization. Authentication testing involves attempting to bypass security controls. ## Prerequisites - Written authorization specifying target API and authentication mechanisms in scope - Valid test credentials for at least two user roles (regular user, admin) - Burp Suite Professional with JWT-related extensions (JSON Web Tokens, JWT Editor) - Python 3.10+ with `requests`, `PyJWT`, and `jwt` libraries - Wordlists for credential testing (SecLists authentication wordlists) - API documentation or OpenAPI specification ## Workflow ### Step 1: Authentication Mechanism Identification ```python import requests import json BASE_URL = "https://target-api.example.com/api/v1" # Probe the API to identify authentication mechanisms auth_indicators = { "jwt_bearer": False, "api_key_header": False, "api_key_query": False, "basic_auth": False, "oauth2": False, "session_cookie...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

OAuth · Auth REST API · API

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

testing-mobile-api-authentication

Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization bypass.

12,642 Updated today
mukul975
API & Backend Listed

broken-authentication

Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems.

4 Updated 1 months ago
ngTwg
Testing & QA Featured

testing-jwt-token-security

Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements.

12,642 Updated today
mukul975
Testing & QA Featured

testing-for-json-web-token-vulnerabilities

Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid parameter injection, and weak secret exploitation to achieve authentication bypass and privilege escalation.

12,642 Updated today
mukul975
AI & Automation Featured

broken-authentication

Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems.

39,227 Updated today
sickn33