- Home
- Skills
- Harperaa
- Secure Claude Skills
- Auth Vulnerabilities
auth-vulnerabilities_skill
- JavaScript
4
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill harperaa/secure-claude-skills --skill auth-vulnerabilities- SKILL.md22.5 KB
Overview
This skill helps you find and understand authentication and authorization defects commonly produced by AI-generated code. It highlights insecure password storage, broken session management, and access control bypasses, and explains why AI suggests unsafe patterns like MD5 or predictable session IDs. The goal is to teach practical fixes and detection cues so you can harden AI-suggested code before deployment.
How this skill works
The skill inspects code patterns and examples to identify insecure password handling (plaintext, MD5/SHA1), weak session implementations (predictable IDs, missing expiration, insecure cookies), and missing authorization checks. It explains the root causes—training data bias, simplicity shortcuts, and lack of security reasoning—and maps each issue to a secure alternative and configuration recommendations. It also provides short, concrete remediation steps and realistic attack scenarios to prioritize fixes.
When to use it
- Review AI-suggested auth code before merging to production
- Audit legacy code that mirrors AI-recommended patterns
- Train teams to recognize common AI-generated auth anti-patterns
- Assess pull requests with quick heuristics for password/session flaws
- Integrate into secure code review or CI linting guidance
Best practices
- Never accept plaintext or fast hashes; require bcrypt/Argon2 with per-password salt and a cost factor
- Use cryptographically secure session IDs, server-side session stores (Redis), and set httpOnly, secure, and sameSite cookies
- Enforce session expiration, renewal, IP/user-agent consistency, and rate limiting on auth endpoints
- Separate authentication (identity) from authorization (permissions); always check resource-level permissions server-side
- Prefer managed auth providers (Clerk, Auth0) or vetted libraries to reduce custom-auth risks
Example use cases
- Detect AI code that stores passwords with hashlib.md5 or plain strings and recommend bcrypt/Argon2
- Identify session code creating IDs from username+timestamp and replace with crypto.randomBytes
- Flag endpoints that require login but do not check resource ownership or roles
- Add middleware templates that validate sessions, renew TTLs, and enforce cookie security flags
- Create training snippets showing attack vectors: session hijack, fixation, and authorization bypass
FAQ
Models are trained on old public examples and prefer simpler code; they lack contextual security knowledge, so they surface outdated patterns like MD5 or plaintext.
Is replacing MD5 with bcrypt enough?
bcrypt/Argon2 is required for storage, but also enforce password strength, per-password salt, proper cost factor, secure transport (TLS), and breach detection/rate limiting.
Can I rely on managed auth services?
Yes—well-maintained providers reduce custom-auth errors, handle hashing/session best practices, and lower the attack surface if configured correctly.