Authentication and Authorization Router

This is the routing entry point for authentication, sessions, and authorization boundaries.

Use it to decide whether the issue is mainly login mechanics, object-level authorization, browser trust boundaries, or identity protocols such as OAuth/JWT/SAML before going deeper.

When to Use

The target includes login, registration, password reset, 2FA, sessions, JWT, OAuth, or SSO

You suspect object authorization flaws, cross-tenant access, cross-origin reads, CSRF, or protocol misconfiguration

You need to decide whether to test authentication or authorization first

Skill Map

Authentication Bypass

login bypass, password reset, 2FA, enumeration, brute-force protections

IDOR Broken Object Authorization

IDOR, BOLA, BFLA, missing object permissions

JWT OAuth Token Attacks

algorithm confusion, key trust issues, claim abuse, token forgery

OAuth OIDC Misconfiguration

redirect URI, state, nonce, PKCE, account binding

CSRF Cross Site Request Forgery

CSRF tokens, SameSite, JSON CSRF, login CSRF

CORS Cross Origin Misconfiguration

reflected Origin, credentialed cross-origin reads, allowlist bypass

SAML SSO Assertion Attacks

assertion wrapping, signature validation, audience, ACS boundaries Recommended Flow First confirm the authentication model and session boundaries Then confirm object-level and function-level authorization Then move to token, cross-origin, and protocol details If enterprise federation exists, continue with OAuth, OIDC, or SAML topics Related Categories api-sec Default credentials, username variants, wordlist sizing, and port focus are consolidated in authbypass-authentication-flaws