ghostonbutterbread/payment-testing
skills/payment-testing/SKILL.md
Route checkout, billing, subscriptions, coupons, credits, gift cards, invoices, refunds, payment authorization, and paid-entitlement testing into safe zero-dollar-first workflows.
testing
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness payment-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 3:18 AM166.3s8 files scanned
SKILL.md
- name:
- payment-testing
- description:
- Route checkout, billing, subscriptions, coupons, credits, gift cards, invoices, refunds, payment authorization, and paid-entitlement testing into safe zero-dollar-first workflows.
Payment Testing
Use for checkout, billing, subscriptions, invoices, coupons, gift cards, credits, refunds, payment authorization, payment processor boundaries, and paid entitlement workflows.
This is a payment workflow router. Most tests should stop before a real purchase: map the flow, reach the processor boundary when needed, and verify what the backend trusts after decline, zero-dollar checkout, or owned-account state changes.
Load Order
- Read scope, owned-account context, and active live-testing policy.
- Read
/payment-testing-policybefore touching payment forms, payment methods, purchases, subscriptions, refunds, credits, gift cards, invoices, or entitlements. - Resolve
$HARNESS_ROOT; default is/home/ryushe/projects/bug_bounty_harness. - Read
$HARNESS_ROOT/prompts/payment-testing-context-pack.md. - Read only the focused technique pack matching observed behavior:
- cart total can reach
$0->zero-dollar.md - request has
paid,success,status,price,currency,amount,quantity,plan,seats, or entitlement fields ->client-trust.md - coupon, credit, promo, gift card, wallet, points, or store balance ->
coupons-credits-gift-cards.md - plan, trial, subscription, renewal, seat, feature flag, or paid workspace entitlement ->
subscription-entitlements.md - card form, setup intent, payment intent, hosted checkout, webhook-like callback, or decline path ->
processor-boundary.md - refund, cancellation, invoice, receipt, tax, shipping, or fulfillment state ->
refunds-invoices.md - duplicate submit, concurrent redeem, finalize, or state transition ->
race-state.md
- cart total can reach
- Load
$HARNESS_ROOT/prompts/payment-testing-playbook.mdfor full workflow mapping, stuck analysis, or report writing. - Route cross-skill work instead of duplicating it:
- one live request capture or intercept ->
/single-request-grabber - access control, customer/invoice/subscription object ownership ->
/access-controlor/idor - concurrency ->
/race - header/method/path tricks ->
/headersor/bypass
- one live request capture or intercept ->
Workflow
- Identify the cheapest non-charging path that answers the hypothesis.
- Capture the full flow with owned accounts/resources: cart, quote, checkout session, payment boundary, confirmation, entitlement, invoice, and cleanup.
- Classify one lane from the context pack and load one technique pack.
- Test backend validation by modifying owned-account requests, never by forcing real fraud or card testing.
- Stop at the first proof or stop condition, then write a handoff/result card.
Proof Standard
Promote only when evidence shows a real backend trust failure: unpaid or underpaid entitlement, total manipulation accepted server-side, coupon/credit/gift-card balance abuse, cross-account billing object access, duplicate redemption, refund/credit abuse, or order/subscription state advanced without valid authorization.
Do not promote UI-only price changes, localStorage-only state, processor-hosted declines without app impact, public invoices, owned-account-only expected access, or speculation from response wording.
Stop Conditions
Stop and ask Ryushe if the next step would spend money, authorize more than policy allows, trigger fulfillment, modify a non-disposable subscription, contact support/vendor review, touch non-owned billing data, repeat failed card attempts, test fraud/risk controls, or require raw card/token material in prompts or logs.
Stop immediately if paid entitlement appears without confirmed payment authorization, a non-owned payment object appears, or temp card $0 unexpectedly succeeds.
Evidence
Write notes under $HARNESS_SHARED_BASE/{program}/ghost/payment-testing/.
Record:
- owned account/resource aliases and destructible status
- full URL, method, auth state, and timestamp
- item, plan, quantity, currency, price, coupon, credit, gift-card, or subscription fields tested
- loaded technique pack
- original request shape and non-secret modified fields
- processor boundary reached and decline/authorization/zero-dollar result
- entitlement, invoice, order, fulfillment, or cleanup state
- stop condition and next safe test
Never record raw card numbers, CVV, expiry, billing address, payment tokens, processor secrets, cookies, auth headers, or screenshots containing payment details.
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/reflected-xss
content-media
VerifiedTrustedCommunity
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/pwnfox
data-ai
VerifiedTrustedCommunity
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026