Broken Authentication Testing

What it does

This skill enables AI agents to identify and exploit broken authentication mechanisms within web applications. It specifically targets vulnerabilities where session management, password resets, or login flows fail to enforce proper security controls, allowing unauthorized access or privilege escalation.

When to use it

• Auditing legacy systems known for weak session handling or hardcoded credentials.
• Testing password reset flows to ensure tokens expire correctly and cannot be intercepted.
• Verifying that logout functions properly terminate active sessions across all devices.
• Assessing applications where multi-factor authentication (MFA) is missing or easily bypassed.

Key capabilities

• Detects session fixation attacks by manipulating session IDs before and after login.
• Identifies weak password policies and default credentials in authentication endpoints.
• Exploits race conditions in concurrent login attempts to hijack user sessions.
• Analyzes token expiration logic to find opportunities for replay attacks.

Example prompts

• "Scan this target application's login page for session fixation vulnerabilities by attempting to inject a known session ID."
• "Test the password reset flow of this API to determine if the reset tokens are predictable or reusable."
• "Attempt to bypass the logout mechanism on this portal to see if the session remains active after clicking 'Sign Out'."

Tips & gotchas

Ensure you have explicit written authorization before running authentication tests, as these actions often trigger rate limits or temporary account locks. Always capture and analyze server responses carefully, as modern applications may return generic error messages that hide specific vulnerability details.