Stats
Actions
Tags
From acc
Analyzes PHP code for authentication vulnerabilities including weak password handling, insecure sessions, missing auth checks, token issues, credential exposure, and brute force risks. Useful for auditing PHP app security.
How this skill is triggered — by the user, by Claude, or both
Slash command
/acc:check-authenticationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze PHP code for authentication vulnerabilities.
Analyze PHP code for authentication vulnerabilities.
// CRITICAL: Plain text password storage
$user->setPassword($_POST['password']);
// CRITICAL: Weak hashing (MD5, SHA1)
$hash = md5($password);
$hash = sha1($password);
$hash = hash('sha256', $password);
// VULNERABLE: No salt
$hash = password_hash($password, PASSWORD_DEFAULT); // OK, but check algo
// CRITICAL: Password in logs
$this->logger->info('Login attempt', ['password' => $password]);
// VULNERABLE: Predictable session ID
session_id('user_' . $userId);
// VULNERABLE: Session fixation
session_start();
$_SESSION['user'] = $userId; // No regenerate_id
// VULNERABLE: Session in URL
session_start();
echo '<a href="page.php?' . SID . '">'; // Session ID in URL
// CORRECT: Regenerate on privilege change
session_regenerate_id(true);
$_SESSION['user'] = $userId;
// CRITICAL: No auth check in controller
public function deleteUser(int $id): Response
{
$this->userService->delete($id); // Who can call this?
}
// CRITICAL: Auth bypass via parameter
if ($_GET['admin'] === 'true') {
$this->grantAdminAccess();
}
// VULNERABLE: Relying only on hidden field
if ($_POST['is_admin'] === '1') { }
// CRITICAL: Weak token generation
$token = md5(time()); // Predictable
$token = rand(); // Not cryptographically secure
$token = uniqid(); // Not secure
// CRITICAL: Token without expiry
$token = $this->generateToken();
$user->setResetToken($token); // No expiry time
// CRITICAL: Timing attack on comparison
if ($token === $storedToken) { } // Use hash_equals
// CORRECT:
$token = bin2hex(random_bytes(32));
if (hash_equals($storedToken, $token)) { }
// CRITICAL: Password in URL
$url = "/login?password=" . urlencode($password);
// CRITICAL: Credentials in error message
throw new AuthException("Invalid password: $password");
// CRITICAL: Auth token in logs
$this->logger->debug('API call', ['token' => $apiToken]);
// CRITICAL: Predictable remember token
$token = md5($userId . time());
setcookie('remember', $token);
// VULNERABLE: No secure flag
setcookie('session_id', $sessionId); // Missing secure, httponly
// CORRECT:
setcookie('remember', $token, [
'expires' => time() + 86400 * 30,
'path' => '/',
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]);
// VULNERABLE: No rate limiting
public function login(string $email, string $password): bool
{
return $this->auth->attempt($email, $password);
// No lockout, no rate limit
}
// VULNERABLE: User enumeration
if (!$user = $this->findByEmail($email)) {
throw new Exception('User not found'); // Different from wrong password
}
// VULNERABLE: State parameter not validated
$code = $_GET['code'];
$token = $this->oauth->getToken($code); // CSRF possible
// VULNERABLE: Trusting social provider email
$email = $oauthUser->getEmail();
$user = $this->findOrCreateByEmail($email); // Account takeover risk
# Weak hashing
Grep: "md5\(\$|sha1\(\$|hash\(['\"]sha" --glob "**/*.php"
# Missing session_regenerate_id
Grep: "session_start" --glob "**/*.php"
Grep: "session_regenerate_id" --glob "**/*.php"
# Weak random
Grep: "rand\(|mt_rand\(|uniqid\(" --glob "**/*.php"
# Cookie without flags
Grep: "setcookie\([^,]+,[^,]+\)" --glob "**/*.php"
| Pattern | Severity |
|---|---|
| Plain text password | 🔴 Critical |
| Weak hashing (MD5/SHA1) | 🔴 Critical |
| Missing auth check | 🔴 Critical |
| Session fixation | 🔴 Critical |
| Predictable tokens | 🔴 Critical |
| No rate limiting | 🟠 Major |
| User enumeration | 🟠 Major |
| Cookie without flags | 🟡 Minor |
// Hash
$hash = password_hash($password, PASSWORD_ARGON2ID);
// Verify
if (password_verify($password, $hash)) { }
// Rehash on login if needed
if (password_needs_rehash($hash, PASSWORD_ARGON2ID)) {
$newHash = password_hash($password, PASSWORD_ARGON2ID);
$user->setPassword($newHash);
}
$token = bin2hex(random_bytes(32));
$hashedToken = hash('sha256', $token);
// Store $hashedToken, send $token to user
// On verify: hash submitted token and compare
session_start([
'cookie_lifetime' => 0,
'cookie_secure' => true,
'cookie_httponly' => true,
'cookie_samesite' => 'Strict',
'use_strict_mode' => true,
]);
### Authentication Issue: [Description]
**Severity:** 🔴/🟠/🟡
**Location:** `file.php:line`
**CWE:** CWE-287 (Improper Authentication)
**Issue:**
[Description of the authentication weakness]
**Attack Vector:**
[How attacker exploits this]
**Code:**
```php
// Vulnerable code
Fix:
// Secure implementation
npx claudepluginhub dykyi-roman/awesome-claude-code --plugin accAudits authentication in web apps/APIs: password hashing, JWT handling, sessions, OAuth flows, MFA, and account controls against OWASP/NIST standards.
Detects weak password storage, flawed JWT validation, sessions surviving logout, and missing MFA in authentication code.
Analyzes PHP code for authorization issues including missing access control, IDOR, privilege escalation, and role-based gaps. Use for security reviews in PHP apps.