auth-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuth Audit Skill
Auth审计技能
Overview
概述
Comprehensive audit of authentication and authorization implementations.
对身份验证与授权实现进行全面审计。
Audit Categories
审计类别
| Category | Checks |
|---|---|
| JWT | Signing algo, expiration, refresh, storage |
| Sessions | Storage, expiry, regeneration, fixation |
| OAuth2 | PKCE, state param, redirect validation |
| Passwords | Hashing algo, strength rules, reset flow |
| MFA | Implementation, backup codes, recovery |
| 类别 | 检查项 |
|---|---|
| JWT | 签名算法、过期时间、刷新机制、存储方式 |
| Sessions | 存储方式、过期时间、重新生成、固定攻击防护 |
| OAuth2 | PKCE、state参数、重定向验证 |
| 密码 | 哈希算法、强度规则、重置流程 |
| MFA | 实现方式、备用代码、恢复机制 |
Workflow
工作流程
- Detect auth implementation (JWT, sessions, OAuth)
- Scan for known anti-patterns
- Verify cryptographic choices
- Check token/session lifecycle
- Audit authorization logic (RBAC, ABAC)
- 检测身份验证实现(JWT、会话、OAuth)
- 扫描已知反模式
- 验证加密方案选择
- 检查令牌/会话生命周期
- 审计授权逻辑(RBAC、ABAC)
Common Vulnerabilities
常见漏洞
- JWT signed with algorithm
none - JWT secret too short (< 256 bits)
- No token expiration or too long
- Refresh tokens stored in localStorage
- Session fixation after login
- Missing CSRF protection
- OAuth without PKCE for public clients
- Missing parameter in OAuth flow
state
- JWT使用算法签名
none - JWT密钥过短(<256位)
- 令牌未设置过期时间或过期时间过长
- 刷新令牌存储在localStorage中
- 登录后未防范会话固定攻击
- 缺少CSRF防护
- 公开客户端的OAuth未使用PKCE
- OAuth流程中缺少参数
state
References
参考资料
- Auth Patterns
- Auth Checklist
- 身份验证模式
- 身份验证检查清单