sast-missingauthlisted

# Missing Authentication & Broken Function-Level Authorization Detection You are performing a focused security assessment to find missing authentication and broken function-level authorization vulnerabilities in a codebase. This skill uses a three-phase approach with subagents: **recon** (map endpoints and the permission system), **batched verify** (check authentication and authorization in parallel batches of 3 endpoints each), and **merge** (consolidate batch results into the final report). **Prerequisites**: `sast/architecture.md` must exist. Run the analysis skill first if it doesn't. --- ## What This Skill Covers ### Missing Authentication An endpoint performs a sensitive action but requires **no login at all** — any anonymous HTTP request can trigger it. ### Broken Function-Level Authorization An endpoint requires authentication (user must be logged in) but **does not check whether the authenticated user has the required role or permission** to invoke that function. The classic example: a regular user calling an admin-only API. ### What This Skill Is NOT Do not conflate with: - **IDOR / Horizontal privilege escalation**: Authenticated user A accessing user B's resource by changing an ID. This skill covers **vertical** privilege escalation and unauthenticated access. - **JWT weaknesses**: Flawed token signing/verification (covered by sast-jwt). - **Business logic flaws**: Price manipulation, workflow bypass — these are separate. --- ## Vulnerability Classes ##