ghostonbutterbread/headers
skills/headers/SKILL.md
Route security testing for HTTP header trust, origin validation, proxy context, route overrides, host routing, method overrides, content negotiation, and auth-header precedence.
development
Updated May 30, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness headersInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 30, 2026, 2:44 AM134.1s1 file scanned
SKILL.md
- name:
- headers
- description:
- Route security testing for HTTP header trust, origin validation, proxy context, route overrides, host routing, method overrides, content negotiation, and auth-header precedence.
Headers
Use when the security question depends on how the server interprets request headers.
This is a RAG-style mechanism skill. Classify the header lane first, load one focused reference pack, then test only the smallest safe mutation set.
Load Order
- Read program scope, owned-account context, and active live-testing policy.
- Resolve
$HARNESS_ROOT; default is/home/ryushe/projects/bug_bounty_harness. - Read
$HARNESS_ROOT/prompts/headers-context-pack.md. - Classify the lane:
OriginorRefererbehavior ->$HARNESS_ROOT/skills/headers/references/technique-packs/origin.md- client IP or proxy trust ->
$HARNESS_ROOT/skills/headers/references/technique-packs/proxy-trust.md - internal route rewrite or forbidden path access ->
$HARNESS_ROOT/skills/headers/references/technique-packs/route-override.md - HTTP method tunneling ->
$HARNESS_ROOT/skills/headers/references/technique-packs/method-override.md - tenant, virtual host, or upstream routing ->
$HARNESS_ROOT/skills/headers/references/technique-packs/host-routing.md Accept,Content-Type, charset, compression, or API version behavior ->$HARNESS_ROOT/skills/headers/references/technique-packs/content-negotiation.md- auth header/session precedence ->
$HARNESS_ROOT/skills/headers/references/technique-packs/auth-context.md
- Read
$HARNESS_ROOT/prompts/headers-playbook.mdfor deep review, stuck analysis, or report writing. - Route instead of duplicating:
- concrete
403endpoint ->/403 - broad bypass or parser mutation ->
/bypass - CORS policy impact ->
/csrfor future/cors - direct object ownership ->
/access-controlor/idor - browser-generated or one-shot request shape ->
/single-request-grabber
- concrete
Workflow
- Capture a baseline request and response with full URL, method, auth state, cookies, and relevant headers.
- Load one lane reference pack based on observed behavior.
- Mutate one header family at a time.
- Compare response status, redirects, body length, cache headers, downstream route, account boundary, and side effects.
- Stop after a material delta or after the bounded lane fails.
Proof Standard
Promote only when header behavior changes authorization, routing, origin trust, object/account boundary, parser behavior, or security policy in a reproducible way.
Do not promote cosmetic error changes, cache artifacts, same-content redirects, public data, or caller-owned access.
Stop Conditions
Stop before touching real-user data, bypassing explicit target policy, escalating outside approved accounts, performing destructive state changes, or continuing after rate-limit/WAF enforcement. Route those cases to /waf, /403, /access-control, or Ryushe for approval.
Evidence
Write notes under $HARNESS_SHARED_BASE/{program}/ghost/headers/ or the owning finding lane.
Record full URLs, baseline headers, mutated headers, auth state, owned account/resource used, response delta, loaded reference pack, proof/no-proof result, and next safe test.
Related Skills
ghostonbutterbread/request-exploration
testing
VerifiedTrustedCommunity
Systematic live request mutation: flip booleans, field ops, headers, content-type, parser differentials, replay vs intercept, null/empty testing. Inherits live-testing-policy scope/rate/ownership rules.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/password-reset
development
VerifiedTrustedCommunity
Test password reset, forgot-password, reset-token, email reset, and account recovery flows for account takeover risks.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/intelligent-fuzzing
tools
VerifiedTrustedCommunity
Targeted param/field discovery using tech stack clues, naming conventions, and controlled-rate ffuf — then feeds findings into request-exploration for mutation. Not brute-force; informed and scoped.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/create-account
testing
VerifiedTrustedCommunity
Ghost-only workflow for creating approved bug bounty test accounts and saving credential references.
SKILL.mdUpdated Jun 13, 2026