Initial commit - 611 cybersecurity skills across all subdomains

skills/testing-mobile-api-authentication/references/standards.md

@@ -0,0 +1,35 @@
+# Standards Reference: Mobile API Authentication Testing
+
+## OWASP Mobile Top 10 2024
+
+| OWASP ID | Risk | Testing Focus |
+|----------|------|---------------|
+| M1 | Improper Credential Usage | Hardcoded API keys, credential transmission |
+| M3 | Insecure Authentication/Authorization | Auth bypass, IDOR, privilege escalation |
+
+## OWASP API Security Top 10 2023
+
+| API Risk | Test Case |
+|----------|-----------|
+| API1: Broken Object Level Authorization | Modify object IDs, test cross-user access |
+| API2: Broken Authentication | JWT vulnerabilities, token replay, session management |
+| API3: Broken Object Property Level Auth | Mass assignment, property-level access |
+| API5: Broken Function Level Authorization | Admin endpoint access with user tokens |
+
+## OWASP MASVS v2.0 - MASVS-AUTH
+
+| Control | Test Method |
+|---------|-------------|
+| MASVS-AUTH-1 | Verify authentication enforcement on all sensitive endpoints |
+| MASVS-AUTH-2 | Test token generation, validation, and revocation |
+| MASVS-AUTH-3 | Assess multi-factor authentication implementation |
+
+## CWE Mappings
+
+| CWE | Title | Test |
+|-----|-------|------|
+| CWE-287 | Improper Authentication | Missing auth on endpoints |
+| CWE-639 | Authorization Bypass Through User-Controlled Key | IDOR testing |
+| CWE-798 | Hardcoded Credentials | API key in APK/IPA |
+| CWE-613 | Insufficient Session Expiration | Token lifetime testing |
+| CWE-384 | Session Fixation | Pre-auth token reuse |

skills/testing-mobile-api-authentication/references/workflows.md

@@ -0,0 +1,28 @@
+# Workflows: Mobile API Authentication Testing
+
+## Workflow 1: Authentication Assessment
+
+```
+[Intercept traffic] --> [Map auth endpoints] --> [Analyze token format]
+                                                        |
+                                          +-------------+-------------+
+                                          |             |             |
+                                    [JWT analysis] [OAuth flow]  [Session mgmt]
+                                    [None alg]     [PKCE check]  [Expiration]
+                                    [Key brute]    [Redirect URI] [Logout invalidation]
+                                          |             |             |
+                                          +-------------+-------------+
+                                                        |
+                                                 [IDOR testing]
+                                                 [Privilege escalation]
+                                                 [Report findings]
+```
+
+## Decision Matrix: Token Vulnerability Testing
+
+| Token Type | Primary Tests | Tools |
+|-----------|--------------|-------|
+| JWT (HS256) | Key brute force, none algorithm, claim manipulation | jwt_tool, hashcat |
+| JWT (RS256) | Algorithm confusion, public key retrieval, key ID manipulation | jwt_tool |
+| Opaque | Entropy analysis, predictability, server-side invalidation | Burp Sequencer |
+| OAuth Bearer | Scope escalation, redirect URI manipulation, PKCE enforcement | Burp, Postman |