bb-methodology

Vendored note (this repo). Adapted from the standalone claude-bug-bounty project. The upstream executable scaffolding — helper scripts (tools/*.py, tools/*.sh), the standalone wordlists/ pipeline, and slash-commands (/recon, /hunt, /validate, /report, …) — is not bundled here: run tooling through the MCP server (run_tool / run_pipeline / run_script) and install via the project installer/registry. Any static deep-dive files this skill needs are vendored into its own references/ folder, and cross-skill references resolve by skill name (e.g. the bb-methodology skill). Some named tools may not be in tools_config.json yet — add them with the add-tool skill or install upstream.

Bug Bounty Methodology: Workflow + Mindset

Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest.

---

PART 1: MINDSET (How to Think)

Core Principle

Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns.

Daily Discipline: Define, Select, Execute

Before touching any tool:

1. Define: "Today I target [feature/domain] to achieve [CIA impact]"
2. Select: Choose 1-2 vuln classes (IDOR, Race Condition, etc.)
3. Execute: Focus ONLY on selected techniques. No wandering.

5 Ultimate Goals (Pick One Per Session)

1. Confidentiality -- steal data the attacker shouldn't see
2. Integrity -- modify data the attacker shouldn't change
3. Availability -- disrupt service (app-level DoS only)
4. Account Takeover -- control another user's account
5. RCE -- execute commands on the server

4 Thinking Domains

1. Critical Thinking (deep analysis)

Question trust boundaries:

• Frontend control disabled? Send request directly via proxy
• user_role=user cookie? Change to admin
• price=1000 in POST? Change to 1
• <script> blocked? Try <img onerror=...>

Reverse-engineer developer psychology:

• Feature A has auth checks -> Similar feature B (newly added) probably doesn't
• Complex flows (coupon + points + refund) -> Edge cases have bugs
• /api/v2/user exists -> Does /api/v1/user still work with weaker auth?

What-If experiments:

• Skip checkout -> hit /checkout/success directly
• Skip 2FA -> navigate to /dashboard
• Send coupon request 10x simultaneously -> Race condition?
• Replace guid=f8a2... with id=100 on sibling endpoint -> IDOR?

2. Multi-Perspective (multiple angles)

Perspective	What to check
Horizontal (same role)	User A's token + User B's ID -> IDOR
Vertical (different role)	Regular user -> /admin/deleteUser
Data flow (proxy view)	Hidden params in JSON: debug=false, discount_rate
Time/State	Race conditions, post-delete session reuse
Client environment	Mobile UA -> legacy API with weaker auth
Business impact	"What's the $ damage if this breaks?"

3. Tactical Thinking (pattern detection)

• Naming anomaly: userId everywhere but suddenly user_id -> different dev, weaker security
• Error diff: Same 403 but different JSON structure -> different backend systems
• Environment diff: Prod vs Dev/Staging -> debug headers, CSP disabled
• Version diff: JS file before/after update -> new endpoints, removed params
• Supply chain: Check framework/library versions for known CVEs
• Third-party integration: Stripe/Auth0/Intercom -> webhook signature missing?

4. Strategic Thinking (big picture)

• Asymmetry: Defender must patch ALL holes. You only need ONE.
• Intuition engineering: Log why something "feels wrong." Verify later. Update mental DB.
• Unknown management: Can't understand something? Add to "investigate later" list. Just-in-Time Learning.

5. AI-Assisted Thinking (model as a second analyst)

Use AI to expand hypotheses, not to declare verdicts. The model is a fast adversarial planner; the browser, proxy, and live requests are the proof layer.

• Decompose the feature: ask for actors, assets, entry points, state transitions, and trust boundaries.
• Generate sibling paths: versioned endpoints, mobile routes, legacy APIs, alternate roles, and admin-only variants.
• Build a role matrix: anonymous, user A, user B, stale session, fresh session, admin, service account.
• Ask for dev shortcuts: "Where would a tired developer skip a check or reuse a helper?"
• Ask for chains: "If this bug is real, what bug B and C sit next to it?"
• Turn ideas into requests: every AI suggestion must become a single reproducible HTTP experiment.
• Kill weak signals fast: if AI cannot point to a concrete request, response diff, or cross-account delta, the idea stays as a hypothesis.

High-signal prompts:

• "Given this endpoint and feature, list the 10 most likely trust-boundary mistakes."
• "What sibling endpoints, methods, or roles should I test next?"
• "Which bug class would a rushed implementation likely miss here?"
• "What does the smallest proof request look like?"
• "What would make this become a real report instead of a scanner hit?"

Amateur vs Pro: 7-Phase Comparison

Phase	Amateur	Pro
Recon	Main domain only	Shadow IT, dev environments, all assets
Discovery	Look for errors	Look for design contradictions, business logic flaws
Exploit	Give up when blocked	Build filter-bypass payloads
Escalation	Report the phenomenon only	Chain to real harm (session steal, ATO)
Feasibility	Include unrealistic conditions	Minimize attack prerequisites
Reporting	State facts only	Quantify business risk
Retest	Check if old PoC fails	Analyze fix method, find incomplete patches

Two Approach Routes

• Route A (Feature-based): "This feature is complex" -> deep-dive its input handling -> find vuln
• Route B (Vuln-based): "I want IDOR" -> find endpoints with sequential IDs -> test access control

Anti-Patterns (Stop Doing These)

• Program hopping: Stick with one target minimum 2 weeks / 30 hours
• Tool-only hunting: Automation finds duplicates. Manual testing finds unique bugs.
• Rabbit hole: Max 45 min per parameter. Set a timer. If stuck, sleep on it.
• No goal: "Just looking around" = wasted time. Always Define first.

---

PART 2: WORKFLOW (What to Do)

The 5-Phase Non-Linear Flow

+-------------------------------------------------+
|                                                 |
|  +----------+    +----------+    +----------+   |
|  | 1. RECON |---+| 2. MAP   |---+| 3. FIND  |  |
|  +----------+    +-----+----+    +-----+-----+  |
|       ^                |               |         |
|       |                v               v         |
|       |          +----------+    +----------+    |
|       +----------| 4. PROVE |---+| 5. REPORT|   |
|                  +----------+    +----------+    |
|                                                  |
|  Non-linear: stuck at any phase -> go back       |
|  New API found at phase 3 -> return to phase 2   |
|  WAF blocks at phase 4 -> origin IP from phase 1 |
+-------------------------------------------------+

THIS IS NOT LINEAR. Move freely between phases. When stuck, return to a previous phase.

Phase 0: SESSION START (Every Time)

Before touching any tool, answer these:

1. Define: "Today I target [feature/domain] to achieve [C/I/A/ATO/RCE]"
2. Select: Choose 1-2 vuln classes (IDOR, XSS, SSRF, etc.)
3. Execute: Focus ONLY on selected techniques
4. Identity: Anonymous or authenticated? If the bugs you're hunting need a session (IDOR, BOLA, privilege escalation, auth bypass, mass-assignment), pass the target's auth header (-H 'Cookie: …' / -H 'Authorization: Bearer …') to each MCP run_tool call (httpx, katana, ffuf, nuclei, dalfox, PoC verifiers). The MCP audit log redacts credential-shaped strings before writing.

Route selection -- Wide or Deep?

Signal	Wide (recon sweep)	Deep (focused testing)
New program, first day	X
Wildcard scope *.target.com	X
Main webapp, been here >3 days		X
Scope update (new domain added)	X
Found interesting subdomain		X
Hunting IDOR / BOLA / auth bugs		X (auth-aware)

Phase 1: RECON

Goal: Maximize attack surface. Find what others missed.

Wide approach (initial sweep):

Subdomain enum -> DNS resolution -> HTTP probing -> Port scan -> Tech detect

Deep approach (targeted):

Google Dorks -> JS file download -> Hidden param discovery -> API mapping

What you find	Next action
Live subdomains with tech stack	Phase 2 (Mapping)
Known software (WordPress, Jira)	Check CVEs + defaults immediately
Cloud resources (S3, Firebase)	Test permissions (read/write/list)
Nothing after 5 min on a host	Skip, try next host (5-minute rule)

Recon: run the web2-recon skill against target.com (subfinder/httpx/katana/nuclei via MCP run_tool).

Phase 2: MAPPING & ANALYSIS

Goal: Understand the app like its developer does.

Checklist:

• Map all endpoints (Burp/Caido sitemap + JS analysis)
• Identify auth model (cookie, JWT, OAuth, SAML?)
• Find business-critical flows (payment, registration, password reset, data export)
• Download and analyze JS files for hidden routes, secrets, logic
• Identify roles and permissions (user, admin, API keys)
• Note "weird" behaviors (anomalies in naming, errors, timing)

What you find	Next action
JS files with interesting code	Taint analysis (Sink -> Source)
OAuth/SAML authentication	OAuth/SAML checklist
API with ID parameters	Phase 3, target IDOR
Complex business logic (payment, coupon)	Phase 3, target BizLogic
postMessage listeners	DOM analysis, postMessage-tracker

Phase 3: VULNERABILITY DISCOVERY

Goal: Find the bug. Use Error-based first, then Blind-based.

Decision flow based on what you're testing:

What input are you testing?
+-- ID parameter (user_id, order_id)
|   -> IDOR checklist
+-- Search/filter/sort field
|   -> SQLi, NoSQLi probing
+-- URL input / webhook / PDF gen
|   -> SSRF checklist
+-- Text field reflected in page
|   -> XSS (DOM or reflected)
+-- File upload
|   -> SVG XSS, web shell, path traversal
+-- Price/quantity/coupon
|   -> Business logic, race conditions
+-- Login / 2FA / password reset
|   -> Auth bypass
+-- Profile update API
|   -> Mass Assignment
+-- Template / wiki editor
|   -> SSTI
+-- Nothing obvious
    -> Fuzz with ffuf, try Error-based probing

Error vs Blind decision:

1. Try Error-based first (send ', ", {{7*7}}, ${7*7}) -- watch for 500 errors, stack traces
2. No error? Time-based (SLEEP(10), ; sleep 10;) -- watch response time
3. No time diff? OOB (curl attacker.com, interactsh) -- watch for DNS callback
4. Still nothing? Boolean (AND 1=1 vs AND 1=0) -- watch content-length diff

What you find	Next action
Low-impact behavior (redirect, self-XSS, cookie injection)	Chain it -- find a connector gadget
Confirmed vuln (XSS, IDOR, SQLi)	Phase 4 (Prove and Escalate)
Blocked by WAF/CSP/403	Bypass techniques, then retry
Known software vuln (CVE)	1-day speed workflow
Nothing after 20 min on this endpoint	Rotate (20-minute rule)

Phase 4: PROVE & ESCALATE

Goal: Prove maximum business impact. Turn Low into Critical.

Escalation decision:

What did you find?
+-- XSS
|   +-- Can steal cookie/token? -> Session hijack -> ATO
|   +-- Cookie is HttpOnly? -> Force email change via XHR -> ATO
|   +-- Self-XSS only? -> Find CSRF to trigger it
+-- IDOR
|   +-- Can read PII? -> Automate scraping, show scale
|   +-- Can change password/email? -> Direct ATO
|   +-- UUID only? -> Find UUID leak source, then retry
+-- SSRF
|   +-- DNS only? -> DON'T REPORT. Try cloud metadata
|   +-- Can reach 169.254.169.254? -> Extract keys -> RCE
|   +-- Internal port scan? -> Find Redis/K8s -> RCE
+-- SQLi
|   +-- Error-based? -> Extract data (passwords, tokens)
|   +-- Can INTO OUTFILE? -> Web shell -> RCE
|   +-- Blind? -> Boolean/Time extraction
+-- Open Redirect
|   +-- OAuth flow? -> Token theft -> ATO
|   +-- javascript: scheme? -> XSS
+-- Blocked by defense
|   -> Bypass (WAF/CSP/proxy/sanitizer/2FA)
+-- Low-impact, can't escalate alone
    -> Find connector gadget for chain

After proving impact, check:

• Can attack work with 0-1 clicks? (minimize prerequisites)
• Does it affect all users or specific role?
• What's the business $ impact?

Phase 5: VALIDATE & REPORT

Goal: Get paid. Make triager's job easy.

Pre-report gate:

Run the triage-validation skill (7-Question Gate)
+-- All 7 pass? -> Write report
+-- Any fail? -> KILL the finding. Don't waste time.
+-- Borderline? -> Run the finding-triage coordinator for quick go/no-go

Report:

Run the report-writing skill
+-- Platform-specific format (H1/Bugcrowd/Intigriti/Immunefi)
+-- Title: [Bug Class] in [Endpoint] allows [role] to [impact]
+-- Impact-first summary (sentence 1 = what attacker CAN do)
+-- Exact HTTP requests in Steps to Reproduce
+-- Under 600 words
+-- CVSS 3.1 score that MATCHES actual impact

After submission:

• While waiting for triage: try to escalate further (A->B signal method)
• If fix deployed: re-test for bypass (incomplete patch = new bug)
• Record finding with /remember for hunt memory

---

PART 3: NAVIGATION & TIMING

Non-Linear Navigation Quick Reference

I'm stuck because...	Go to...
Can't find any subdomains	Phase 1: Try different recon sources, Google Dorks
Found subdomain but don't know what to test	Phase 2: Map the app, download JS, understand auth
Testing but nothing works	Phase 3: Switch vuln class (20-min rotation rule)
Found a bug but impact is low	Phase 4: Escalation paths or gadget chaining
WAF/CSP/403 blocking my payload	Bypass techniques, then return to current phase
Been stuck for 45 min on one param	STOP. Rabbit hole. Move to next endpoint.
New API endpoint discovered during testing	Return to Phase 2: map it before attacking
Found one bug	A->B signal: same dev made more mistakes. Hunt 20 min for siblings.

20-Minute Rotation Clock

Every 20 minutes ask yourself: "Am I making progress?"

• Yes -> Continue
• No -> Rotate to next: endpoint -> subdomain -> vuln class -> target
• Been on same target 2+ weeks with no findings? -> Consider switching program

Tool Routing by Phase

Phase	Tools	Why this order
Recon: Subdomains	subfinder -> amass -> puredns -> httpx	Passive first (no detection) -> resolve DNS -> probe HTTP + tech stack
Recon: URLs	gau + waymore -> katana -> uro	Archive (forgotten endpoints) -> active crawl (JS-rendered) -> deduplicate
Recon: JS	jsluice + mantra + trufflehog --only-verified	Extract URLs/secrets -> find API keys -> verify keys actually work
Recon: Ports	naabu (wide) -> rustscan (deep)	Fast top-1000 sweep -> full 65535 on interesting targets
Recon: Scan	nuclei -tags cve -> nuclei -tags takeover	Known CVEs first -> then takeover (act immediately)
Mapping: Params	arjun + paramspider + ParamMiner	Brute-force hidden params + mine archives + cache headers
Mapping: JS code	Download -> jsluice -> VS Code/Cursor grep	Extract -> static analysis -> AI-assisted taint analysis
Mapping: Dorks	Manual Google Dorks	Custom per-target queries find what automation misses
Discovery: Fuzz	ffuf -ac + cewl custom wordlist	Auto-calibrate filtering + target-specific words beat generic lists
Discovery: XSS	kxss -> dalfox	Filter (which params reflect?) -> scan (only reflective params)
Discovery: SQLi	ghauri	Modern blind SQLi on ID-like parameters
Discovery: SSRF	interactsh-client	Self-hosted OOB listener for blind SSRF/XXE/RCE
Discovery: WAF	wafw00f -> whatwaf	Identify WAF vendor -> test bypass techniques
Exploit: 403	byp4xx or nomore403	20+ bypass techniques automated
Exploit: Takeover	subzy	Checks CNAME against 70+ vulnerable services
Exploit: Cloud	s3scanner + aws CLI	Scan bucket permissions -> extract metadata credentials
Exploit: Secrets	trufflehog --only-verified	Only verified working keys (no false positives)

Session End Checklist

• Save all Burp/Caido project files
• Record any "weird but not yet exploitable" behaviors (future gadgets)
• Update notes with failed attempts (don't re-test with same techniques)
• Log findings with /remember