testing-mobile-api-authentication

Featured

Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization bypass.

API & Backend 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Testing Mobile API Authentication ## When to Use Use this skill when: - Assessing mobile app backend API authentication during penetration tests - Testing JWT token implementation for common vulnerabilities (none algorithm, weak signing) - Evaluating OAuth 2.0 / OIDC flows in mobile applications for redirect, PKCE, and scope issues - Testing for broken object-level authorization (BOLA/IDOR) in API endpoints **Do not use** this skill against production APIs without explicit authorization and rate-limiting awareness. ## Prerequisites - Burp Suite or mitmproxy configured as mobile device proxy - SSL pinning bypassed on target application (if implemented) - Valid test account credentials for the target application - Postman or curl for API request crafting - jwt.io or PyJWT for JWT analysis and manipulation ## Workflow ### Step 1: Map Authentication Endpoints Intercept mobile app traffic to identify authentication-related endpoints: ``` POST /api/v1/auth/login - Initial authentication POST /api/v1/auth/register - Account registration POST /api/v1/auth/refresh - Token refresh POST /api/v1/auth/logout - Session termination POST /api/v1/auth/forgot-password - Password reset POST /api/v1/auth/verify-otp - OTP verification GET /api/v1/auth/me - Authenticated user profile ``` ### Step 2: Analyze Token Format and Security **JWT Analysis:** ```bash # Decode JWT without verification echo "eyJhbGciOiJIUzI1NiIs..." | cut -d. -f2 | ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

OAuth · Auth

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

testing-api-authentication-weaknesses

Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token validation assessment, credential security testing, or API auth bypass.

12,642 Updated today
mukul975
Testing & QA Solid

broken-authentication-testing

This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.

27,681 Updated today
davila7
Testing & QA Solid

broken-authentication-testing

This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.

4,215 Updated today
zebbern
Testing & QA Listed

broken-authentication-testing

This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.

36 Updated today
cleodin
Testing & QA Listed

broken-authentication-testing

This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.

335 Updated today
aiskillstore