shuvonsec/bb-methodology
skills/bb-methodology/SKILL.md
Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
$ install --global
skillsauthnpx skillsauth add shuvonsec/claude-bug-bounty bb-methodologyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 12, 2026, 4:46 AM144.3s1 file scanned
SKILL.md
- name:
- bb-methodology
- description:
- Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process.
Bug Bounty Methodology: Workflow + Mindset
Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest.
PART 1: MINDSET (How to Think)
Core Principle
Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns.
Daily Discipline: Define, Select, Execute
Before touching any tool:
- Define: "Today I target [feature/domain] to achieve [CIA impact]"
- Select: Choose 1-2 vuln classes (IDOR, Race Condition, etc.)
- Execute: Focus ONLY on selected techniques. No wandering.
5 Ultimate Goals (Pick One Per Session)
- Confidentiality -- steal data the attacker shouldn't see
- Integrity -- modify data the attacker shouldn't change
- Availability -- disrupt service (app-level DoS only)
- Account Takeover -- control another user's account
- RCE -- execute commands on the server
4 Thinking Domains
1. Critical Thinking (deep analysis)
Question trust boundaries:
- Frontend control disabled? Send request directly via proxy
user_role=usercookie? Change toadminprice=1000in POST? Change to1<script>blocked? Try<img onerror=...>
Reverse-engineer developer psychology:
- Feature A has auth checks -> Similar feature B (newly added) probably doesn't
- Complex flows (coupon + points + refund) -> Edge cases have bugs
/api/v2/userexists -> Does/api/v1/userstill work with weaker auth?
What-If experiments:
- Skip checkout -> hit
/checkout/successdirectly - Skip 2FA -> navigate to
/dashboard - Send coupon request 10x simultaneously -> Race condition?
- Replace
guid=f8a2...withid=100on sibling endpoint -> IDOR?
2. Multi-Perspective (multiple angles)
| Perspective | What to check |
|------------|---------------|
| Horizontal (same role) | User A's token + User B's ID -> IDOR |
| Vertical (different role) | Regular user -> /admin/deleteUser |
| Data flow (proxy view) | Hidden params in JSON: debug=false, discount_rate |
| Time/State | Race conditions, post-delete session reuse |
| Client environment | Mobile UA -> legacy API with weaker auth |
| Business impact | "What's the $ damage if this breaks?" |
3. Tactical Thinking (pattern detection)
- Naming anomaly:
userIdeverywhere but suddenlyuser_id-> different dev, weaker security - Error diff: Same 403 but different JSON structure -> different backend systems
- Environment diff: Prod vs Dev/Staging -> debug headers, CSP disabled
- Version diff: JS file before/after update -> new endpoints, removed params
- Supply chain: Check framework/library versions for known CVEs
- Third-party integration: Stripe/Auth0/Intercom -> webhook signature missing?
4. Strategic Thinking (big picture)
- Asymmetry: Defender must patch ALL holes. You only need ONE.
- Intuition engineering: Log why something "feels wrong." Verify later. Update mental DB.
- Unknown management: Can't understand something? Add to "investigate later" list. Just-in-Time Learning.
Amateur vs Pro: 7-Phase Comparison
| Phase | Amateur | Pro | |-------|---------|-----| | Recon | Main domain only | Shadow IT, dev environments, all assets | | Discovery | Look for errors | Look for design contradictions, business logic flaws | | Exploit | Give up when blocked | Build filter-bypass payloads | | Escalation | Report the phenomenon only | Chain to real harm (session steal, ATO) | | Feasibility | Include unrealistic conditions | Minimize attack prerequisites | | Reporting | State facts only | Quantify business risk | | Retest | Check if old PoC fails | Analyze fix method, find incomplete patches |
Two Approach Routes
- Route A (Feature-based): "This feature is complex" -> deep-dive its input handling -> find vuln
- Route B (Vuln-based): "I want IDOR" -> find endpoints with sequential IDs -> test access control
Anti-Patterns (Stop Doing These)
- Program hopping: Stick with one target minimum 2 weeks / 30 hours
- Tool-only hunting: Automation finds duplicates. Manual testing finds unique bugs.
- Rabbit hole: Max 45 min per parameter. Set a timer. If stuck, sleep on it.
- No goal: "Just looking around" = wasted time. Always Define first.
PART 2: WORKFLOW (What to Do)
The 5-Phase Non-Linear Flow
+-------------------------------------------------+
| |
| +----------+ +----------+ +----------+ |
| | 1. RECON |---+| 2. MAP |---+| 3. FIND | |
| +----------+ +-----+----+ +-----+-----+ |
| ^ | | |
| | v v |
| | +----------+ +----------+ |
| +----------| 4. PROVE |---+| 5. REPORT| |
| +----------+ +----------+ |
| |
| Non-linear: stuck at any phase -> go back |
| New API found at phase 3 -> return to phase 2 |
| WAF blocks at phase 4 -> origin IP from phase 1 |
+-------------------------------------------------+
THIS IS NOT LINEAR. Move freely between phases. When stuck, return to a previous phase.
Phase 0: SESSION START (Every Time)
Before touching any tool, answer these:
- Define: "Today I target [feature/domain] to achieve [C/I/A/ATO/RCE]"
- Select: Choose 1-2 vuln classes (IDOR, XSS, SSRF, etc.)
- Execute: Focus ONLY on selected techniques
- Identity: Anonymous or authenticated? If the bugs you're hunting need a
session (IDOR, BOLA, privilege escalation, auth bypass, mass-assignment),
load auth once at session start — see
docs/auth-sessions.md. Then every downstream tool (httpx, katana, ffuf, nuclei, dalfox, PoC verifiers) sends those headers automatically and audit log entries are stamped with a stablesession_idhash.
Route selection -- Wide or Deep?
| Signal | Wide (recon sweep) | Deep (focused testing) |
|--------|-------------------|----------------------|
| New program, first day | X | |
| Wildcard scope *.target.com | X | |
| Main webapp, been here >3 days | | X |
| Scope update (new domain added) | X | |
| Found interesting subdomain | | X |
| Hunting IDOR / BOLA / auth bugs | | X (auth-aware) |
Phase 1: RECON
Goal: Maximize attack surface. Find what others missed.
Wide approach (initial sweep):
Subdomain enum -> DNS resolution -> HTTP probing -> Port scan -> Tech detect
Deep approach (targeted):
Google Dorks -> JS file download -> Hidden param discovery -> API mapping
| What you find | Next action | |--------------|-------------| | Live subdomains with tech stack | Phase 2 (Mapping) | | Known software (WordPress, Jira) | Check CVEs + defaults immediately | | Cloud resources (S3, Firebase) | Test permissions (read/write/list) | | Nothing after 5 min on a host | Skip, try next host (5-minute rule) |
Command: /recon target.com
Phase 2: MAPPING & ANALYSIS
Goal: Understand the app like its developer does.
Checklist:
- [ ] Map all endpoints (Burp/Caido sitemap + JS analysis)
- [ ] Identify auth model (cookie, JWT, OAuth, SAML?)
- [ ] Find business-critical flows (payment, registration, password reset, data export)
- [ ] Download and analyze JS files for hidden routes, secrets, logic
- [ ] Identify roles and permissions (user, admin, API keys)
- [ ] Note "weird" behaviors (anomalies in naming, errors, timing)
| What you find | Next action | |--------------|-------------| | JS files with interesting code | Taint analysis (Sink -> Source) | | OAuth/SAML authentication | OAuth/SAML checklist | | API with ID parameters | Phase 3, target IDOR | | Complex business logic (payment, coupon) | Phase 3, target BizLogic | | postMessage listeners | DOM analysis, postMessage-tracker |
Phase 3: VULNERABILITY DISCOVERY
Goal: Find the bug. Use Error-based first, then Blind-based.
Decision flow based on what you're testing:
What input are you testing?
+-- ID parameter (user_id, order_id)
| -> IDOR checklist
+-- Search/filter/sort field
| -> SQLi, NoSQLi probing
+-- URL input / webhook / PDF gen
| -> SSRF checklist
+-- Text field reflected in page
| -> XSS (DOM or reflected)
+-- File upload
| -> SVG XSS, web shell, path traversal
+-- Price/quantity/coupon
| -> Business logic, race conditions
+-- Login / 2FA / password reset
| -> Auth bypass
+-- Profile update API
| -> Mass Assignment
+-- Template / wiki editor
| -> SSTI
+-- Nothing obvious
-> Fuzz with ffuf, try Error-based probing
Error vs Blind decision:
- Try Error-based first (send
',",{{7*7}},${7*7}) -- watch for 500 errors, stack traces - No error? Time-based (
SLEEP(10),; sleep 10;) -- watch response time - No time diff? OOB (
curl attacker.com, interactsh) -- watch for DNS callback - Still nothing? Boolean (
AND 1=1vsAND 1=0) -- watch content-length diff
| What you find | Next action | |--------------|-------------| | Low-impact behavior (redirect, self-XSS, cookie injection) | Chain it -- find a connector gadget | | Confirmed vuln (XSS, IDOR, SQLi) | Phase 4 (Prove and Escalate) | | Blocked by WAF/CSP/403 | Bypass techniques, then retry | | Known software vuln (CVE) | 1-day speed workflow | | Nothing after 20 min on this endpoint | Rotate (20-minute rule) |
Phase 4: PROVE & ESCALATE
Goal: Prove maximum business impact. Turn Low into Critical.
Escalation decision:
What did you find?
+-- XSS
| +-- Can steal cookie/token? -> Session hijack -> ATO
| +-- Cookie is HttpOnly? -> Force email change via XHR -> ATO
| +-- Self-XSS only? -> Find CSRF to trigger it
+-- IDOR
| +-- Can read PII? -> Automate scraping, show scale
| +-- Can change password/email? -> Direct ATO
| +-- UUID only? -> Find UUID leak source, then retry
+-- SSRF
| +-- DNS only? -> DON'T REPORT. Try cloud metadata
| +-- Can reach 169.254.169.254? -> Extract keys -> RCE
| +-- Internal port scan? -> Find Redis/K8s -> RCE
+-- SQLi
| +-- Error-based? -> Extract data (passwords, tokens)
| +-- Can INTO OUTFILE? -> Web shell -> RCE
| +-- Blind? -> Boolean/Time extraction
+-- Open Redirect
| +-- OAuth flow? -> Token theft -> ATO
| +-- javascript: scheme? -> XSS
+-- Blocked by defense
| -> Bypass (WAF/CSP/proxy/sanitizer/2FA)
+-- Low-impact, can't escalate alone
-> Find connector gadget for chain
After proving impact, check:
- [ ] Can attack work with 0-1 clicks? (minimize prerequisites)
- [ ] Does it affect all users or specific role?
- [ ] What's the business $ impact?
Phase 5: VALIDATE & REPORT
Goal: Get paid. Make triager's job easy.
Pre-report gate:
Run /validate (7-Question Gate)
+-- All 7 pass? -> Write report
+-- Any fail? -> KILL the finding. Don't waste time.
+-- Borderline? -> Run /triage for quick go/no-go
Report:
Run /report
+-- Platform-specific format (H1/Bugcrowd/Intigriti/Immunefi)
+-- Title: [Bug Class] in [Endpoint] allows [role] to [impact]
+-- Impact-first summary (sentence 1 = what attacker CAN do)
+-- Exact HTTP requests in Steps to Reproduce
+-- Under 600 words
+-- CVSS 3.1 score that MATCHES actual impact
After submission:
- [ ] While waiting for triage: try to escalate further (A->B signal method)
- [ ] If fix deployed: re-test for bypass (incomplete patch = new bug)
- [ ] Record finding with
/rememberfor hunt memory
PART 3: NAVIGATION & TIMING
Non-Linear Navigation Quick Reference
| I'm stuck because... | Go to... | |----------------------|----------| | Can't find any subdomains | Phase 1: Try different recon sources, Google Dorks | | Found subdomain but don't know what to test | Phase 2: Map the app, download JS, understand auth | | Testing but nothing works | Phase 3: Switch vuln class (20-min rotation rule) | | Found a bug but impact is low | Phase 4: Escalation paths or gadget chaining | | WAF/CSP/403 blocking my payload | Bypass techniques, then return to current phase | | Been stuck for 45 min on one param | STOP. Rabbit hole. Move to next endpoint. | | New API endpoint discovered during testing | Return to Phase 2: map it before attacking | | Found one bug | A->B signal: same dev made more mistakes. Hunt 20 min for siblings. |
20-Minute Rotation Clock
Every 20 minutes ask yourself: "Am I making progress?"
- Yes -> Continue
- No -> Rotate to next: endpoint -> subdomain -> vuln class -> target
- Been on same target 2+ weeks with no findings? -> Consider switching program
Tool Routing by Phase
| Phase | Tools | Why this order |
|-------|-------|----------------|
| Recon: Subdomains | subfinder -> amass -> puredns -> httpx | Passive first (no detection) -> resolve DNS -> probe HTTP + tech stack |
| Recon: URLs | gau + waymore -> katana -> uro | Archive (forgotten endpoints) -> active crawl (JS-rendered) -> deduplicate |
| Recon: JS | jsluice + mantra + trufflehog --only-verified | Extract URLs/secrets -> find API keys -> verify keys actually work |
| Recon: Ports | naabu (wide) -> rustscan (deep) | Fast top-1000 sweep -> full 65535 on interesting targets |
| Recon: Scan | nuclei -tags cve -> nuclei -tags takeover | Known CVEs first -> then takeover (act immediately) |
| Mapping: Params | arjun + paramspider + ParamMiner | Brute-force hidden params + mine archives + cache headers |
| Mapping: JS code | Download -> jsluice -> VS Code/Cursor grep | Extract -> static analysis -> AI-assisted taint analysis |
| Mapping: Dorks | Manual Google Dorks | Custom per-target queries find what automation misses |
| Discovery: Fuzz | ffuf -ac + cewl custom wordlist | Auto-calibrate filtering + target-specific words beat generic lists |
| Discovery: XSS | kxss -> dalfox | Filter (which params reflect?) -> scan (only reflective params) |
| Discovery: SQLi | ghauri | Modern blind SQLi on ID-like parameters |
| Discovery: SSRF | interactsh-client | Self-hosted OOB listener for blind SSRF/XXE/RCE |
| Discovery: WAF | wafw00f -> whatwaf | Identify WAF vendor -> test bypass techniques |
| Exploit: 403 | byp4xx or nomore403 | 20+ bypass techniques automated |
| Exploit: Takeover | subzy | Checks CNAME against 70+ vulnerable services |
| Exploit: Cloud | s3scanner + aws CLI | Scan bucket permissions -> extract metadata credentials |
| Exploit: Secrets | trufflehog --only-verified | Only verified working keys (no false positives) |
Session End Checklist
- [ ] Save all Burp/Caido project files
- [ ] Record any "weird but not yet exploitable" behaviors (future gadgets)
- [ ] Update notes with failed attempts (don't re-test with same techniques)
- [ ] Log findings with
/remember
Related Skills
shuvonsec/bug-bounty
tools
VerifiedTrustedCommunity
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports. 中文触发词:漏洞赏金、安全测试、渗透测试、漏洞挖掘、信息收集、子域名枚举、XSS测试、SQL注入、SSRF、安全审计、漏洞报告
2,164SKILL.mdUpdated Apr 14, 2026
shuvonsec/bug-bounty
tools
VerifiedTrustedCommunity
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports. 中文触发词:漏洞赏金、安全测试、渗透测试、漏洞挖掘、信息收集、子域名枚举、XSS测试、SQL注入、SSRF、安全审计、漏洞报告
2,051SKILL.mdUpdated Apr 19, 2026
shuvonsec/web2-vuln-classes
development
VerifiedTrustedCommunity
Complete reference for 20 web2 bug classes with root causes, detection patterns, bypass tables, exploit techniques, and real paid examples. Covers IDOR, auth bypass, XSS, SSRF (11 IP bypass techniques), SQLi, business logic, race conditions, OAuth/OIDC, file upload (10 bypass techniques), GraphQL, LLM/AI (ASI01-ASI10 agentic framework), API misconfig (mass assignment, JWT attacks, prototype pollution, CORS), ATO taxonomy (9 paths), SSTI (Jinja2/Twig/Freemarker/ERB/Spring), subdomain takeover, cloud/infra misconfigs, HTTP smuggling (CL.TE/TE.CL/H2.CL), cache poisoning, MFA bypass (7 patterns), SAML attacks (XSW/comment injection/signature stripping). Use when hunting a specific vuln class or studying what makes bugs pay.
2,051SKILL.mdUpdated Apr 14, 2026
shuvonsec/triage-validation
testing
VerifiedTrustedCommunity
Finding validation before writing any report — 7-Question Gate (all 7 questions), 4 pre-submission gates, always-rejected list, conditionally valid with chain table, CVSS 3.1 quick reference, severity decision guide, report title formula, 60-second pre-submit checklist. Use BEFORE writing any report. One wrong answer = kill the finding and move on. Saves N/A ratio.
2,051SKILL.mdUpdated Apr 14, 2026