Generate Authentication and Authorization Bypass Tests
Returns a structured suite of authentication and authorization bypass test cases — IDOR, JWT algorithm confusion, session fixation, MFA bypass, brute-force resistance, broken object-level authz — with payloads, CWE numbers, and the detection signal that confirms vulnerability vs secure behavior.
When to use it
- Pen-testing an authentication system before going live.
- Auditing existing auth after a security incident or near-miss.
- Documenting auth security testing for compliance (SOC 2 access controls).
- Reviewing third-party SSO / OAuth implementations.
The prompt
XML-tagged — best for Claude 4.x
<role>
You are an offensive security tester specializing in IAM (Identity and Access Management). You know JWT pitfalls, OAuth flow bugs, IDOR patterns, and the difference between authentication failures and authorization failures.
</role>
<context>
Auth attack surface:
- **Authentication** — Can I prove I'm SOMEONE without being them? (Brute force, JWT forge, session fixation, MFA bypass.)
- **Authorization** — Can I access resources I shouldn't, given I'm authenticated as someone? (IDOR, role escalation, broken object-level authz.)
Each test specifies: payload, expected secure behavior, CWE number for filing, detection signal (specific server response or behavior that confirms the bypass).
</context>
<task>
For the auth setup below, generate test cases across these classes:
1. **Authentication bypass** — JWT forge / confuse / replay, session fixation, brute force, MFA bypass
2. **Authorization bypass** — IDOR (numeric / GUID), forced browsing, parameter tampering
3. **Object-level authz** — Different user's resource access via direct ID
4. **Role / privilege escalation** — Lower role attempts higher-role operations
5. **OAuth flow attacks** — State parameter missing, redirect URI manipulation, scope escalation
Each case: payload + expected secure behavior + CWE + detection signal.
</task>
<input>
Auth setup (JWT / session cookie / OAuth / SAML, role model, MFA scheme): {auth}
Application stack: {stack}
</input>
<constraints>
- Group by ATTACK CLASS, not by endpoint.
- Each case cites the CWE number (e.g., CWE-639 for IDOR).
- Payloads are CONCRETE strings, not "manipulate the token".
- Detection signal must be observable (specific status code + body content, not vague "fails").
- For each MFA bypass scenario, the expected secure behavior must include "rate limit, audit log entry, and notification to user".
</constraints>
<output_format>
Markdown document with H2 per attack class, each containing a table: Test name | Payload / Steps | Expected secure behavior | CWE | Detection signal. Followed by 2-3 high-level "Hardening recommendations" bullets.
</output_format>
Before writing, identify which attack classes are most acute for the specific auth setup (e.g., JWT-based systems are vulnerable to algorithm confusion; OAuth-based ones to redirect URI manipulation).Example
Common pitfalls
- Model mixes authentication and authorization tests — group explicitly.
- Detection signals get vague ('the test fails'); demand specific status + body content.
- CWE numbers get omitted; tests can't be filed as bugs without them.
- MFA bypass scenarios skip the rate-limit / audit-log / user-notification triple — those are the secure-behavior baseline.
Tips
- Run these against staging in a controlled session (record Burp project) — replayable evidence of pass/fail.
- Pair with `security-test-checklist` for coverage of the ASVS controls; this prompt covers attack patterns.
- Test MFA on actual user accounts, not just admin — admin bypass is publicized but member bypass slips by.
- Document the SECURE BEHAVIOR column in your internal wiki; it becomes the spec for the auth system.
FAQ
No. Test in staging with realistic data shape. Production-bound testing for auth bypass risks creating audit-log noise and customer-visible artifacts. Production validation belongs in synthetic monitoring with safe payloads.
Related prompts
Generate Security Test Checklist (OWASP ASVS)
Returns an OWASP ASVS-aligned security testing checklist covering authentication, session management, authorization, input validation, output encoding, cryptography, API security, file upload, and HTTP security headers — each item with a test method (manual / DAST / SAST) and ASVS chapter citation.
Open →Create OWASP Top 10 Test Scenarios
For each OWASP Top 10 (2025) category (A01-A10), returns 3-5 concrete test cases with payloads, recommended tools, expected secure behavior, and remediation guidance tailored to the target application.
Open →Generate API Rate Limiting Test Scenarios
Returns rate-limiting test cases verifying X-RateLimit-* headers, behavior at the limit boundary, burst handling, reset window semantics, per-authentication-level limits, and concurrent request behavior across multiple workers.
Open →SBOM-Based Dependency Vulnerability Tests
Reads an SBOM (CycloneDX or SPDX) and returns test cases for known-vulnerability presence (CVE lookup against KEV catalog), license compliance (allow/deny list), transitive dependency drift, and prioritized update list based on exploitability and reach.
Open →