Broken Authentication Testing

What it does

This skill enables AI agents to systematically identify vulnerabilities in authentication mechanisms, such as weak password policies, missing rate limiting, and insecure session management. It automates the process of probing login flows to detect flaws that could allow unauthorized access or account takeover.

When to use it

• Auditing web applications before a security review or penetration test.
• Validating that new authentication features (e.g., OAuth, SSO) are implemented securely.
• Investigating reports of potential credential stuffing or brute-force susceptibility.
• Ensuring compliance with security standards regarding account lockout and session timeouts.

Key capabilities

• Automated discovery of broken login flows and registration endpoints.
• Detection of missing rate limiting on authentication attempts.
• Identification of weak password enforcement policies.
• Analysis of session token handling and expiration logic.
• Verification of proper error message handling to prevent information leakage.

Example prompts

• "Scan this target URL for broken authentication vulnerabilities, focusing on login brute-force resistance."
• "Test the registration flow at [URL] to check if weak passwords are accepted without enforcement."
• "Analyze the session management of this application to identify risks related to token theft or lack of expiration."

Tips & gotchas

Ensure you have explicit authorization before running authentication tests on any system, as these probes can trigger security alerts or lockouts. Always configure the agent with appropriate rate limits to avoid disrupting production services during testing.