testing-for-broken-access-control
vmain
Systematically testing web applications for broken access control vulnerabilities including privilege escalation, missing function-level checks, and insecure direct object references.
使用场景/代码审查与 GitHub
拉取 PR、读 diff、查 Issue、管理仓库。适合 Code Review、发布说明、CI 问题排查。
共匹配 3,844 个资源 · 第 28 / 81 页
vmain
Systematically testing web applications for broken access control vulnerabilities including privilege escalation, missing function-level checks, and insecure direct object references.
vmain
Testing web applications for path traversal vulnerabilities that allow reading or writing arbitrary files on the server by manipulating file path parameters.
vmain
Tests Android inter-process communication (IPC) through intents for vulnerabilities including intent injection, unauthorized component access, broadcast sniffing, pending intent hijacking, and content provider data leakage. Use when assessing Android app attack surface through exported components, testing intent-based data flows, or evaluating IPC security. Activates for requests involving Android intent security, IPC testing, exported component analysis, or Drozer assessment.
vmain
Tests API authentication mechanisms for weaknesses including broken token validation, missing authentication on endpoints, weak password policies, credential stuffing susceptibility, token leakage in URLs or logs, and session management flaws. The tester evaluates JWT implementation, API key handling, OAuth flows, and session token entropy to identify authentication bypasses. Maps to OWASP API2:2023 Broken Authentication. Activates for requests involving API authentication testing, token validation assessment, credential security testing, or API auth bypass.
vmain
Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API access control bypass.
vmain
Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting.
vmain
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques.
vmain
Tests WebSocket API implementations for security vulnerabilities including missing authentication on WebSocket upgrade, Cross-Site WebSocket Hijacking (CSWSH), injection attacks through WebSocket messages, insufficient input validation, denial-of-service via message flooding, and information leakage through WebSocket frames. The tester intercepts WebSocket handshakes and messages using Burp Suite, crafts malicious payloads, and tests for authorization bypass on WebSocket channels. Activates for requests involving WebSocket security testing, WS penetration testing, CSWSH attack, or real-time API security assessment.
vmain
Tests OAuth 2.0 and OpenID Connect implementations for security flaws including authorization code interception, redirect URI manipulation, CSRF in OAuth flows, token leakage, scope escalation, and PKCE bypass. The tester evaluates the authorization server, client application, and token handling for common misconfigurations that enable account takeover or unauthorized access. Activates for requests involving OAuth security testing, OIDC vulnerability assessment, OAuth2 redirect bypass, or authorization code flow testing.
vmain
Tests authentication and authorization mechanisms in mobile application APIs to identify broken authentication, insecure token management, session fixation, privilege escalation, and IDOR vulnerabilities. Use when performing API security assessments against mobile app backends, testing JWT implementations, evaluating OAuth flows, or assessing session management. Activates for requests involving mobile API auth testing, token security assessment, OAuth mobile flow testing, or API authorization bypass.
vmain
Assessing JSON Web Token implementations for cryptographic weaknesses, algorithm confusion attacks, and authorization bypass vulnerabilities during security engagements.
vmain
Discovering and exploiting XML External Entity injection vulnerabilities to read server files, perform SSRF, and exfiltrate data during authorized penetration tests.
vmain
Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater tools during authorized security assessments.
vmain
Tests web applications for Cross-Site Scripting (XSS) vulnerabilities by injecting JavaScript payloads into reflected, stored, and DOM-based contexts to demonstrate client-side code execution, session hijacking, and user impersonation. The tester identifies all injection points and output contexts, crafts context-appropriate payloads, and bypasses sanitization and CSP protections. Activates for requests involving XSS testing, cross-site scripting assessment, client-side injection testing, or JavaScript injection vulnerability testing.
vmain
Test web applications for XML injection vulnerabilities including XXE, XPath injection, and XML entity attacks to identify data exposure and server-side request forgery risks.
vmain
Identifying sensitive data exposure vulnerabilities including API key leakage, PII in responses, insecure storage, and unprotected data transmission during security assessments.
vmain
Identify and test open redirect vulnerabilities in web applications by analyzing URL redirection parameters, bypass techniques, and exploitation chains for phishing and token theft.
vmain
Test JWT implementations for critical vulnerabilities including algorithm confusion, none algorithm bypass, kid parameter injection, and weak secret exploitation to achieve authentication bypass and privilege escalation.
vmain
Test web applications for HTTP Host header injection vulnerabilities to identify password reset poisoning, web cache poisoning, SSRF, and virtual host routing manipulation risks.
vmain
Test web application email functionality for SMTP header injection vulnerabilities that allow attackers to inject additional email headers, modify recipients, and abuse contact forms for spam relay.
vmain
Diagnose and recover Cursor backend failures for Harness workflows. Use when user invokes cursor:rescue, Cursor delegation fails, cursor-agent is missing, setup-cursor fails, or backend resolution unexpectedly falls back to claude.
vmain
Run a Cursor Composer review as an advisory second opinion while keeping the primary review verdict on the host brain. Use when user invokes cursor:review, asks Cursor to review, or wants composer to sanity-check a diff. Cursor never owns APPROVE/REQUEST_CHANGES.
vmain
Diagnose and recover Cursor backend failures for Harness workflows. Use when user invokes cursor:rescue, Cursor delegation fails, cursor-agent is missing, setup-cursor fails, or backend resolution unexpectedly falls back to claude.
vmain
Run a Cursor Composer review as an advisory second opinion while keeping the primary review verdict on the host brain. Use when user invokes cursor:review, asks Cursor to review, or wants composer to sanity-check a diff. Cursor never owns APPROVE/REQUEST_CHANGES.
vmain
Manage MCP (Model Context Protocol) servers for openclacky: add, list, probe, remove, reconfigure. Edits ~/.clacky/mcp.json so the user never writes JSON by hand. Trigger on: add mcp, install mcp, setup mcp, configure mcp, mcp list, mcp remove, mcp probe, mcp reconfigure.
vmain
Use when creating new skills, editing existing skills, or verifying skills work before deployment.
vmain
Use when you have a spec or requirements for a multi-step task, before touching code. Creates bite-sized TDD implementation plans with dependency tracking.
vmain
Cross-browser and cross-device testing using BrowserStack or Sauce Labs
vmain
Analyzes and optimizes SQL queries across different data warehouse platforms (Snowflake, BigQuery, Redshift, Databricks) with platform-specific recommendations.
vmain
Suggest and guide application of refactoring patterns to improve code quality
vmain
CSS Modules patterns, composition, variables, and build configuration.
vmain
Precision CSS/styling modifications for pixel-perfect adjustments with Tailwind, CSS Modules, and plain CSS support
vmain
Android and iOS application security testing
vmain
Cross-platform offline-first data management
vmain
Comprehensive mobile testing framework expertise
vmain
Mobile application security skill for implementing OWASP MASVS compliance, secure storage, certificate pinning, biometric authentication, and security hardening across iOS and Android platforms.
vmain
Mobile app performance analysis and optimization
vmain
Mobile app analytics and crash reporting integration
vmain
Mobile GPU optimization skill for thermal management.
vmain
Ad mediation skill for rewarded video.
vmain
Multi-backend comparison and selection skill for optimal hardware choice
vmain
Deep integration with Kubernetes clusters for deployments, debugging, and operations. Execute kubectl commands, analyze pod logs/events/resources, generate and validate manifests, and debug cluster issues.
vmain
Docker containerization for web apps, multi-stage builds, and optimization.
vmain
Docker-based test environment management for isolated, reproducible test execution. Create Docker Compose environments, manage test containers, configure service dependencies, and integrate with CI/CD pipelines.
vmain
Bootstrap MCP (Model Context Protocol) servers with the official TypeScript SDK. Creates complete server implementations with transport layer, tools, resources, and proper error handling.
vmain
Bootstrap MCP server with Python SDK, transport configuration, tool/resource handlers, and proper project structure.
vmain
Create mock MCP client for server testing with request/response simulation.
vmain
Set up MCP Inspector for debugging and testing MCP servers with request logging, response inspection, and protocol validation.