Domain 03 / 12

Authentication & Access security audit

Make login, sessions and authorization impossible to bypass — from brute-force to broken object-level access.

  • 58 checks
  • MFA · Sessions · Access control · IDOR/BOLA · Escalation · Business logic

Run the audit See example checks

What securmyapp checks

Inside the Authentication & Access domain

This is the Authentication & Access domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The Authentication & Access domain covers the entire identity lifecycle: password policy, brute-force and credential-stuffing resistance, MFA that cannot be bypassed, secure session handling, and airtight authorization. It probes for broken object-level authorization (IDOR/BOLA), privilege escalation and business-logic abuse — the flaws that tools miss because they require understanding intent.

Coverage areas

58 atomic checks span these sub-domains.

  • Authentication

    Strong password policy, anti brute-force, secure reset, no user enumeration.

  • MFA

    Non-bypassable MFA, OTP anti-brute-force, anti-replay, push-fatigue resistance.

  • Sessions

    Session regeneration on login, secure cookie attributes, fixation protection.

  • Access control

    Server-side authorization on every route and object.

  • IDOR / BOLA

    Cross-user object access tested on each endpoint.

  • Escalation & business logic

    Privilege escalation and workflow-abuse detection.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example Authentication & Access security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
Effective and non-bypassable MFAHighOptional or bypassable MFA that fails to stop account takeover.ASVS V6 · NIST IA-2
Session regeneration after loginHighSession fixation from reusing the pre-login session ID.CWE-384 · WSTG-SESS-03
Anti brute-force loginHighMissing throttling or lockout after repeated login failures.WSTG-ATHN-03 · MITRE T1110
Secure session cookie attributesHighCookies missing Secure, HttpOnly or SameSite.ASVS V3/V7 · CWE-1004
MFA fatigue resistance (push bombing)MediumSpammable push MFA that wears the user down into approving.MITRE T1621 · ASVS V6
No user enumerationMediumDifferent messages or timing for valid vs. invalid accounts.WSTG-IDNT-04 · CWE-204

Vulnerabilities we catch

  • Broken object-level authorization (IDOR / BOLA) across API routes
  • Session fixation and hijackable session cookies
  • MFA that can be skipped, replayed or brute-forced
  • Login endpoints with no brute-force or credential-stuffing defense
  • Privilege escalation through missing server-side authorization
  • Business-logic abuse in multi-step workflows

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

Authentication & Access — questions & answers

What is IDOR / BOLA and does securmyapp test for it?

IDOR/BOLA is broken object-level authorization — accessing another user's records by changing an identifier. securmyapp tests cross-user object access on every route, since it is OWASP API #1 and the leading cause of API breaches.

Can it catch logic flaws, not just missing controls?

Yes. Business-logic and privilege-escalation checks run in advisory mode with guided human review, because tools alone cannot understand business intent.

Does it verify MFA is actually enforced?

It checks that MFA is required with no bypass path, resists OTP brute-force and replay, and withstands push-bombing (MFA fatigue) attacks.

Get started

Audit your app in the next five minutes

Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.

Claude Code — one-time setup
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.