---
title: Skill catalog
nav_order: 2
description: Searchable index of every skill in the bundle.
---

# Skill catalog

All **71 skills** in the bundle, grouped by domain. Each auto-loads when your prompt matches its trigger keywords — no need to invoke by name. Use your browser's find (⌘/Ctrl-F) or the docs search box.

> Generated by `scripts/gen_skill_catalog.py` — do not edit by hand.

## Hunt — web app vuln classes (48)

| Skill | What it does | Reports |
|---|---|---|
| `hunt-api-misconfig` | Hunt API security misconfiguration — mass assignment, JWT attacks, prototype pollution, HTTP verb tampering. | — |
| `hunt-aspnet` | Hunt ASP.NET-specific surface — ViewState deserialization (signed-only vs encrypted), machineKey recovery, dual-parser MAC-bypass anti-pattern, request-validator bypass, trace.axd/elmah.axd disclosure, load-balanced ViewState cross-node… | 1 |
| `hunt-ato` | Hunt account takeover taxonomy — 9 distinct paths to ATO, plus chains. | — |
| `hunt-auth-bypass` | Hunting skill for auth bypass vulnerabilities. | 12 |
| `hunt-brute-force` | Hunt Missing/Weak Rate Limiting — login brute force, OTP/2FA brute force (10^6), credential stuffing, username/email enumeration via error differences or timing, weak password policy, missing CAPTCHA, IP-based rate limit bypass via… | 33 |
| `hunt-business-logic` | Hunting skill for business logic vulnerabilities. | 12 |
| `hunt-cache-poison` | Hunting skill for cache poison vulnerabilities. | 10 |
| `hunt-cicd` | Hunt CI/CD pipeline vulnerabilities — GitHub Actions workflow injection (pull_request_target + untrusted input), Jenkins script console RCE, GitLab CI runner token exposure, Terraform state file leakage, artifact leakage, GitHub Actions… | 18 |
| `hunt-cloud-misconfig` | Hunt cloud / infrastructure misconfigurations. | — |
| `hunt-cors` | Hunt CORS Misconfiguration — wildcard with credentials, null origin, regex with subdomain trust, pre-flight bypass, postMessage origin checks. | 19 |
| `hunt-csrf` | Hunting skill for csrf vulnerabilities. | 15 |
| `hunt-deserialization` | Hunt Insecure Deserialization — Java gadget chains (ysoserial), PHP object injection (phpggc), Python pickle RCE, .NET BinaryFormatter, Ruby Marshal.load, JNDI/Log4Shell. | 22 |
| `hunt-dispatch` | Skill-set loader for /hunt orchestrator. | — |
| `hunt-dom` | Hunt client-side DOM vulnerabilities — DOM Clobbering (overwrite JS globals via HTML injection), PostMessage hijacking (missing origin check), Service Worker abuse (intercept requests), CSS Injection/Exfiltration (attribute selectors →… | 17 |
| `hunt-file-upload` | Hunt file upload bugs — RCE via webshell, XSS via SVG/HTML, SSRF via XXE in DOCX, path traversal via filename. | — |
| `hunt-graphql` | Hunting skill for graphql vulnerabilities. | 12 |
| `hunt-grpc` | Hunt gRPC vulnerabilities — server reflection enabled (enumerate all services/methods), missing authentication on internal endpoints, plaintext gRPC over HTTP/2, internal endpoint disclosure, proto file leakage, gRPC-Web proxy injection,… | 6 |
| `hunt-host-header` | Hunt Host Header Injection — password reset poisoning → ATO, cache poisoning via unkeyed host, X-Forwarded-Host injection, SSRF via Host header, routing-based SSRF, OAuth redirect_uri poisoning. | 16 |
| `hunt-http-smuggling` | Hunt HTTP request smuggling (CL.TE, TE.CL, H2.CL, H2.TE). | — |
| `hunt-idor` | Hunting skill for idor vulnerabilities. | 26 |
| `hunt-k8s` | Hunt Kubernetes and Docker specific vulnerabilities — Kubernetes API anonymous access, kubelet 10250 unauth exec, etcd 2379 unauth, dashboard exposure, RBAC misconfig, secret leakage, docker.sock exposure, privileged container escape,… | 13 |
| `hunt-laravel` | Hunt Laravel specific vulnerabilities — Debug mode leakage (APP_DEBUG=true exposes full stack trace + env vars), Laravel Telescope/Horizon dashboard unauthorized access, Ignition RCE (CVE-2021-3129), Signed URL manipulation, Queue Worker… | 14 |
| `hunt-ldap` | Hunt LDAP Injection and XPath Injection — authentication bypass, data exfiltration from Active Directory, directory traversal, AD user/group enumeration. | 8 |
| `hunt-lfi` | Hunt Local File Inclusion (LFI), Remote File Inclusion (RFI), and Path Traversal — /etc/passwd read, log poisoning → RCE, PHP wrappers, zip:// and phar:// chains, directory traversal read/write/delete. | 31 |
| `hunt-llm-ai` | Hunt LLM/AI feature bugs — prompt injection, indirect injection, exfiltration via tool-use, ASCII smuggling, agentic AI security framework (ASI01-ASI10). | — |
| `hunt-mfa-bypass` | Hunt MFA / 2FA bypass — 7 distinct patterns. | — |
| `hunt-misc` | Hunting skill for misc vulnerabilities. | 225 |
| `hunt-nextjs` | Hunt Next.js specific vulnerabilities — Server Actions arbitrary function execution, Middleware auth bypass via static asset paths, ISR cache poisoning, Image Optimization SSRF (/_next/image), RSC payload leakage, getServerSideProps… | 19 |
| `hunt-nodejs` | Hunt Node.js specific vulnerabilities — Prototype Pollution → RCE chains (lodash/merge/assign), Express trust proxy misconfiguration, child_process/eval injection, template engine SSTI (EJS/Pug/Handlebars), path traversal in file servers,… | 24 |
| `hunt-nosqli` | Hunt NoSQL Injection — MongoDB operator injection ($where, $regex, $gt, $ne), CouchDB, Redis command injection, auth bypass via NoSQLi, data dump. | 14 |
| `hunt-ntlm-info` | Hunt NTLM/Negotiate information disclosure on internet-reachable IIS/SharePoint/Exchange. | 1 |
| `hunt-oauth` | Hunting skill for oauth vulnerabilities. | 19 |
| `hunt-open-redirect` | Hunt Open Redirect — all types including low-impact, chained to OAuth token theft → ATO, phishing chains. | 28 |
| `hunt-race-condition` | Hunting skill for race condition vulnerabilities. | 12 |
| `hunt-rce` | Hunting skill for rce vulnerabilities. | 67 |
| `hunt-saml` | Hunt SAML / SSO attacks. | — |
| `hunt-session` | Hunt Session Management vulnerabilities — session fixation, session prediction (low entropy), insufficient invalidation on logout/password change, concurrent session abuse, JWT as session without expiry or revocation, cookie attribute… | 18 |
| `hunt-sharepoint` | Hunt Microsoft SharePoint Server (2013/2016/2019/Subscription Edition) on-prem farms — anonymous endpoint enumeration, version disclosure, legacy SOAP login bypass (Authentication.asmx), ToolShell precondition chain (CVE-2025-53770),… | 1 |
| `hunt-source-leak` | Hunt source code and build artifact leakage — JavaScript source maps (.js.map) reconstructing TypeScript/ES6 source, Swagger/OpenAPI JSON endpoint discovery, .env/.git exposure, webpack chunks with hardcoded secrets,… | 31 |
| `hunt-springboot` | Hunt Spring Boot specific vulnerabilities — Actuator endpoints (heapdump, env, loggers, mappings, shutdown), Spring Expression Language (SpEL) injection → RCE, H2 console RCE, Jolokia JMX exposure, Spring4Shell (CVE-2022-22965), Spring… | 16 |
| `hunt-sqli` | Hunting skill for sqli vulnerabilities. | 12 |
| `hunt-ssrf` | Hunting skill for ssrf vulnerabilities. | 15 |
| `hunt-ssti` | Hunt server-side template injection (SSTI) across Jinja2 (Flask/Django), Twig (Symfony), Freemarker (Java), ERB (Rails), Spring, Velocity, Mako, Thymeleaf, Smarty. | — |
| `hunt-subdomain` | Hunting skill for subdomain vulnerabilities. | 15 |
| `hunt-tls-network` | Hunt TLS/SSL and DNS misconfigurations — missing HSTS (downgrade attack), weak cipher suites, expired/invalid certificates, mTLS bypass, missing SPF/DKIM/DMARC (email spoofing), DNS Zone Transfer (AXFR), dangling CNAME subdomain takeover,… | 9 |
| `hunt-websocket` | Hunt WebSocket vulnerabilities — Cross-Site WebSocket Hijacking (CSWSH), missing authentication on WS handshake, message tampering, event authorization bypass, WS→HTTP request smuggling. | 11 |
| `hunt-xss` | Hunting skill for xss vulnerabilities. | 174 |
| `hunt-xxe` | Hunting skill for xxe vulnerabilities. | 10 |

## Enterprise platform attack (9)

| Skill | What it does | Reports |
|---|---|---|
| `apk-redteam-pipeline` | End-to-end Android APK red-team pipeline — automated APK acquisition (Play Store + apkpure + apkmirror fallback), jadx decompilation, secret/URL/JWT/Firebase grep, pinned-cert extraction, exported-component enumeration, Frida runtime… | 1 |
| `cloud-iam-deep` | Cloud IAM red-team attack chain across AWS, Azure, GCP — focused on EXTERNAL exploitation paths and post-credential-discovery privilege analysis. | 6 |
| `enterprise-vpn-attack` | External SSL VPN / remote-access appliance attack matrix — Cisco ASA/AnyConnect, Fortinet FortiGate/FortiOS, Citrix NetScaler/ADC, Palo Alto GlobalProtect, Pulse Secure / Ivanti Connect Secure, SonicWall, F5 Big-IP. | 1 |
| `m365-entra-attack` | Microsoft 365 / Entra ID red-team attack chain — current 2026 reality. | 1 |
| `meme-coin-audit` | Meme coin and token security audit — rug pull detection (honeypot, hidden mint, fee manipulation, LP lock bypass), Solana SPL token analysis (freeze authority, mint authority, metadata mutability), Token-2022 extension risks (transfer… | — |
| `okta-attack` | Okta-as-IdP red-team attack chain — tenant discovery, user enumeration (multiple vectors), authentication flow analysis (factors enumeration, push-notification fatigue, SMS bypass), password spray with lockout discipline, Okta-specific… | 8 |
| `supply-chain-attack-recon` | External recon for software supply-chain attack surface — package-namespace squatting candidates, dependency-confusion vulnerabilities, GitHub Actions injection openings, container image registry exposure, SBOM mining,… | 12 |
| `vmware-vcenter-attack` | VMware vSphere / vCenter Server external attack matrix — version fingerprinting, the high-impact CVE chain (CVE-2021-21972 vRealize unauth file upload, CVE-2021-21985 vSAN plugin RCE, CVE-2022-22954 Workspace ONE SSTI, CVE-2023-20887 Aria… | 10 |
| `web3-audit` | Smart contract security audit — 10 DeFi bug classes (accounting desync, access control, incomplete path, off-by-one, oracle, ERC4626, reentrancy, flash loan, signature replay, proxy), pre-dive kill signals (TVL < $500K etc), Foundry PoC… | — |

## Recon & OSINT (4)

| Skill | What it does | Reports |
|---|---|---|
| `offensive-osint` | Operational arsenal for authorized external red-team and bug-bounty recon. | — |
| `osint-methodology` | Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. | — |
| `security-arsenal` | Security payloads, bypass tables, wordlists, gf pattern names, always-rejected bug list, and conditionally-valid-with-chain table. | — |
| `web2-recon` | Web2 recon pipeline — subdomain enumeration (subfinder, Chaos API, assetfinder), live host discovery (dnsx, httpx), URL crawling (katana, waybackurls, gau), directory fuzzing (ffuf), JS analysis (LinkFinder, SecretFinder), continuous… | — |

## Methodology & mindset (4)

| Skill | What it does | Reports |
|---|---|---|
| `bb-local-toolkit` | Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability… | — |
| `bb-methodology` | Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. | — |
| `bug-bounty` | Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability… | — |
| `redteam-mindset` | Red-team operator discipline — the mindset corrections that separate offensive testing from defensive WAPT. | 1 |

## Reporting & validation (6)

| Skill | What it does | Reports |
|---|---|---|
| `bugcrowd-reporting` | Bugcrowd-specific reporting tactics complementing report-writing: VRT category search-and-fallback strategy when no exact match exists, manual severity override when VRT defaults underrate impact, severity-request paragraph as first body… | — |
| `evidence-hygiene` | Evidence-capture and PoC-redaction discipline for bug-bounty submissions: cookie redaction protocol (which fields to mask, Preview annotation / Burp panel hiding / DevTools workflow), PII black-bar discipline (what to mask in other-user… | — |
| `mid-engagement-ir-detection` | Methodology for detecting client SOC patches, attacker activity, and security-state changes that occur DURING a red-team engagement — and converting those observations into deliverable findings. | 1 |
| `redteam-report-template` | Client-facing red-team deliverable format — codifies the Subject / Observations / Description / Impact / Recommendation / PoC structure used for external red-team engagements (not bug-bounty platform reports). | 1 |
| `report-writing` | Bug bounty report writing for H1/Bugcrowd/Intigriti/Immunefi — report templates, human tone guidelines, impact-first writing, CVSS 3.1 scoring, title formula, impact statement formula, severity decision guide, downgrade counters,… | — |
| `triage-validation` | Finding validation before writing any report — 7-Question Gate (all 7 questions), 4 pre-submission gates, always-rejected list, conditionally valid with chain table, CVSS 3.1 quick reference, severity decision guide, report title formula,… | — |