Validating Authentication Implementations
Overview
Validate authentication mechanisms across web applications, APIs, and backend
services for security weaknesses, compliance gaps, and implementation flaws.
This skill examines password hashing, JWT token handling, session management,
OAuth flows, MFA implementation, and account security controls against OWASP
and NIST standards.
Prerequisites
- Access to the target codebase and configuration files in
${CLAUDESKILLDIR}/
- Familiarity with the authentication framework in use (Passport.js, Spring Security, Django Auth, NextAuth, etc.)
- Standard shell utilities and Grep/Glob available for codebase scanning
- Reference:
${CLAUDESKILLDIR}/references/README.md for OWASP authentication cheat sheet, NIST password guidelines, and JWT RFC specifications
Instructions
- Identify all authentication entry points by scanning for login routes, token endpoints, session initialization, and OAuth callback handlers using Grep across route definitions and controller files.
- Examine password storage by locating hashing function calls -- verify use of bcrypt, scrypt, or Argon2id with appropriate cost factors. Flag any use of MD5, SHA-1, SHA-256 without key stretching, or plaintext storage as CWE-916 (Use of Password Hash With Insufficient Computational Effort).
- Validate JWT implementations: check signing algorithms (reject
none, flag HS256 with weak secrets), verify exp, iat, aud, and iss claims are validated, confirm tokens are not stored in localStorage (XSS exposure), and check for proper refresh token rotation.
- Assess session management: verify session IDs are regenerated after authentication, sessions have appropriate timeouts (idle and absolute), cookies use
HttpOnly, Secure, and SameSite=Strict or SameSite=Lax attributes, and session fixation protections are in place.
- Review OAuth/OIDC flows: confirm
state parameter usage for CSRF protection, validate redirect URI whitelisting, check PKCE implementation for public clients, and verify token storage security.
- Evaluate MFA implementation: confirm MFA is available for privileged accounts, check TOTP secret storage encryption, verify backup code generation uses cryptographically secure randomness, and flag any MFA bypass paths.
- Check account security controls: verify rate limiting on login endpoints, account lockout policies after failed attempts, secure password reset flows (time-limited tokens, no user enumeration), and brute-force protections.
- Validate credential transmission: confirm all auth endpoints enforce HTTPS, passwords are never logged or included in URLs, and API keys use secure header transmission rather tha
