Authorization Security Scanner

This skill turns the model into an authorization reviewer. Read the routes, controllers, resolvers, and data models; walk the detection passes; report each missing access-control check with a severity and a concrete, framework-correct fix. No tools to install, no app to run, no credentials — the analysis is the model reading the code.

Broken access control is the OWASP Top 10's #1 web risk (A01) and the top two API risks (API1 BOLA, API5 BFLA). It tops the lists precisely because automated tools miss it: there is no dangerous function call to grep for. The bug is the absence of a check, and confirming it requires understanding the application's ownership model — which is exactly what a model reading the code can do and a signature scanner cannot.

Mental model

Authentication answers who are you? Authorization answers are you allowed to do this, to this specific object? This skill is only about the second question. A handler can be perfectly authenticated and still be a critical vulnerability.

Every privileged operation can be escalated along two axes:

• Horizontal — acting on another user's object at the same privilege level. Manipulate an object identifier (/orders/1042 → /orders/1043) and you read someone else's data. This is BOLA / IDOR (OWASP API1).
• Vertical — reaching a function above your privilege level. A normal user hitting an admin endpoint. This is BFLA (OWASP API5).

The defect is almost always missing code, not wrong code: a query that filters by object id but not by owner, an admin route guarded by "is logged in" but not "is admin," a body that binds straight to a model. So you are scanning for a gap, not a pattern.

When you cannot tell whether a check exists, assume it does not, and flag it for confirmation. The cost of a false positive is a review comment. The cost of a false negative is every user's data. This asymmetry governs every judgment call below.