Domain 03 / 12
Authentication & Access security audit
Make login, sessions and authorization impossible to bypass — from brute-force to broken object-level access.
- 58 checks
- MFA · Sessions · Access control · IDOR/BOLA · Escalation · Business logic
What securmyapp checks
Inside the Authentication & Access domain
This is the Authentication & Access domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Authentication & Access domain covers the entire identity lifecycle: password policy, brute-force and credential-stuffing resistance, MFA that cannot be bypassed, secure session handling, and airtight authorization. It probes for broken object-level authorization (IDOR/BOLA), privilege escalation and business-logic abuse — the flaws that tools miss because they require understanding intent.
Coverage areas
58 atomic checks span these sub-domains.
Authentication
Strong password policy, anti brute-force, secure reset, no user enumeration.
MFA
Non-bypassable MFA, OTP anti-brute-force, anti-replay, push-fatigue resistance.
Sessions
Session regeneration on login, secure cookie attributes, fixation protection.
Access control
Server-side authorization on every route and object.
IDOR / BOLA
Cross-user object access tested on each endpoint.
Escalation & business logic
Privilege escalation and workflow-abuse detection.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| Effective and non-bypassable MFA | High | Optional or bypassable MFA that fails to stop account takeover. | ASVS V6 · NIST IA-2 |
| Session regeneration after login | High | Session fixation from reusing the pre-login session ID. | CWE-384 · WSTG-SESS-03 |
| Anti brute-force login | High | Missing throttling or lockout after repeated login failures. | WSTG-ATHN-03 · MITRE T1110 |
| Secure session cookie attributes | High | Cookies missing Secure, HttpOnly or SameSite. | ASVS V3/V7 · CWE-1004 |
| MFA fatigue resistance (push bombing) | Medium | Spammable push MFA that wears the user down into approving. | MITRE T1621 · ASVS V6 |
| No user enumeration | Medium | Different messages or timing for valid vs. invalid accounts. | WSTG-IDNT-04 · CWE-204 |
Vulnerabilities we catch
- Broken object-level authorization (IDOR / BOLA) across API routes
- Session fixation and hijackable session cookies
- MFA that can be skipped, replayed or brute-forced
- Login endpoints with no brute-force or credential-stuffing defense
- Privilege escalation through missing server-side authorization
- Business-logic abuse in multi-step workflows
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
Authentication & Access — questions & answers
What is IDOR / BOLA and does securmyapp test for it?
IDOR/BOLA is broken object-level authorization — accessing another user's records by changing an identifier. securmyapp tests cross-user object access on every route, since it is OWASP API #1 and the leading cause of API breaches.
Can it catch logic flaws, not just missing controls?
Yes. Business-logic and privilege-escalation checks run in advisory mode with guided human review, because tools alone cannot understand business intent.
Does it verify MFA is actually enforced?
It checks that MFA is required with no bypass path, resists OTP brute-force and replay, and withstands push-bombing (MFA fatigue) attacks.
Related domains
Get started
Audit your app in the next five minutes
Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.