home / skills / transilienceai / communitytools / authenticating

authenticating skill

needs review

/projects/pentest/.claude/skills/authenticating

This skill helps you automate comprehensive authentication security testing including signup, login, 2FA bypass, CAPTCHA, and bot detection evasion.

npx playbooks add skill transilienceai/communitytools --skill authenticating

Review the files below or copy the command above to add this skill to your agents.

Files (10)

SKILL.md

4.6 KB

---
name: authenticating
description: Authentication testing skill - automates signup, login, 2FA bypass, CAPTCHA solving, and bot detection evasion using Playwright MCP. Tests authentication security controls. Includes behavioral biometrics simulation, OTP handling, and automated account creation for security assessments.
---

# Authentication Testing

Automated authentication security testing: signup, login, 2FA/OTP bypass, CAPTCHA, bot detection using Playwright.

## Quick Start

```
1. Initialize Playwright
2. Test: signup → login → 2FA → CAPTCHA → bot detection
3. Document findings with evidence
```

## Core Workflows

**Account Registration**: Navigate → analyze form → generate password (PasswordGenerator) → create account → store credentials (CredentialManager)

**Login Security**: Test bypasses → credential validation → session tokens → fixation/hijacking

**2FA/OTP Bypass**: Enable 2FA → test vectors (response manipulation, direct access, parameter removal, code reuse, brute force) → extract OTP from email

**CAPTCHA Assessment**: Identify type → test server-side validation, token expiration, reusability → bypass vectors

**Bot Detection**: Stealth mode → human-like behavior (natural mouse, variable typing, random pauses) → test detection

## Credential Tools

**PasswordGenerator** (`tools/password_generator.py`):
```python
from tools.password_generator import generate_password
password = generate_password(hint_text="8-16 chars, uppercase, lowercase, numbers")
```

**CredentialManager** (`tools/credential_manager.py`):
```python
from tools.credential_manager import CredentialManager
mgr = CredentialManager()
cred_id = mgr.store_credential(target="example.com", username="test", password="pass")
cred = mgr.get_credential("example.com")
```

See `reference/PASSWORD_CREDENTIAL_MANAGEMENT.md`.

## Playwright Automation

**REQUIRED**: All browser automation via Playwright MCP.

**Human-like**: Natural mouse, realistic typing (80-200ms delays), random pauses (500-2000ms), smooth scrolling
**Evidence**: Screenshots before/after, network logs, console output
**Stealth**: Hide webdriver, add chrome object, randomize fingerprints

## Testing Techniques

**CAPTCHA Bypass** (11 techniques - `reference/CAPTCHA_BYPASS.md`):
Missing server validation, empty field, reusable tokens, HTTP header manipulation, content-type conversion, request method, parameter manipulation, OCR, response interception, token expiration, session persistence

**2FA Bypass** (10 methods - `reference/2FA_BYPASS.md`):
Response manipulation, direct endpoint access, OTP parameter removal, code reusability, brute force, predictable codes, session persistence pre-2FA, backup code abuse, race condition, OTP leakage

**Bot Detection Evasion** (`reference/BOT_DETECTION.md`):
Behavioral biometrics, fingerprint randomization, User-Agent rotation, WebDriver hiding, natural timing, request patterns

## Output Structure

```
outputs/authenticating/<target>/
├── signup/account_created.json + evidence/
├── login/session_tokens.json + evidence/
├── 2fa/bypass_attempts.json + otp_codes.txt + evidence/
├── captcha/bypass_methods.json + evidence/
├── bot_detection/detection_tests.json + behavioral_patterns.md
└── findings/vulnerabilities.json + authentication_report.md + poc_scripts/
```

## Common Vulnerabilities

**Critical**: Missing 2FA server validation, reusable OTP, direct access without 2FA, client-side CAPTCHA
**High**: Weak OTP generation, no rate limiting, CAPTCHA token reuse, session persistence pre-2FA
**Medium**: Weak bot detection, account enumeration, timing attacks, info disclosure

## Testing Checklist

**Pre**: Scope, test accounts, Playwright configured, email access
**During**: Signup, login, 2FA, CAPTCHA, bot detection, evidence
**Post**: Findings documented, PoC scripts, CVSS scores, remediation, cleanup

## Critical Rules

**Always**: Test accounts only, document scope, responsible disclosure, clean up
**Never**: Exceed scope, cause disruption, expose findings before remediation

## Tools

Playwright MCP, PasswordGenerator, CredentialManager, Email APIs (IMAP, Gmail), OCR (Tesseract)

## Commands

```bash
/authenticating                  # Full test
/authenticating --test=2fa       # Specific area
/authenticating --report         # Generate report
```

## Reference

- [CAPTCHA_BYPASS.md](reference/CAPTCHA_BYPASS.md) - 11 CAPTCHA techniques
- [2FA_BYPASS.md](reference/2FA_BYPASS.md) - 10 2FA/OTP methods
- [BOT_DETECTION.md](reference/BOT_DETECTION.md) - Bot evasion
- [PASSWORD_CREDENTIAL_MANAGEMENT.md](reference/PASSWORD_CREDENTIAL_MANAGEMENT.md) - Tool usage

Overview

This skill automates authentication security testing using Playwright MCP to assess signup, login, 2FA/OTP flows, CAPTCHA protections, and bot-detection mechanisms. It generates and manages credentials, simulates human behavior, captures evidence, and produces structured findings for security assessments. Designed for penetration testers, bug bounty hunters, and security researchers to validate authentication controls safely within scope.

How this skill works

The skill drives browsers with Playwright MCP using human-like interactions (natural mouse, realistic typing delays, pauses, and fingerprint randomization). It automates account creation, login attempts, 2FA/OTP manipulation and extraction, CAPTCHA identification and bypass vectors, and bot-detection evasion tests. All actions produce evidence (screenshots, network logs, console output) and machine-readable outputs for reporting and PoC scripts.

When to use it

Assess signup and login robustness during pentests or bug bounties
Validate 2FA/OTP implementations and detect bypass vectors
Test CAPTCHA server-side validation and token handling
Evaluate bot-detection effectiveness and behavioral fingerprints
Automate repeatable authentication test cases for regression testing

Best practices

Run only against in-scope targets with written permission
Use test accounts and clean up created artifacts after testing
Keep Playwright MCP and browser drivers up to date for reliability
Capture full evidence sets: screenshots, HAR/network logs, and console output
Rate-limit automated attempts to avoid service disruption and respect non-disclosure rules

Example use cases

Full authentication assessment: signup → login → 2FA → CAPTCHA → bot detection with evidence and report
Targeted 2FA review: enable 2FA, attempt bypass techniques, extract OTPs from email APIs for verification
CAPTCHA hardening test: identify type, test token reuse and server validation, document bypass methods
Bot-detection validation: simulate behavioral biometrics, rotate fingerprints and UA, evaluate detection triggers and false positives
Automated credential management: generate compliant passwords and store/retrieve credentials for repeated test runs

FAQ

Do I need Playwright configured to run this skill?

Yes. All browser automation relies on Playwright MCP and up-to-date browser drivers for accurate, reliable testing.

Is this safe to run against production systems?

Only run against targets explicitly in scope and with permission. Use test accounts and avoid high-volume attacks that could cause disruption.