SKILL

Bb Methodology

From claude-bug-bounty by @shuvonsec · View on GitHub

Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process.

● INSTALL

This skill ships inside the claude-bug-bounty package. Install the package to get this skill plus everything else in the bundle.

sv install shuvonsec/claude-bug-bounty

● SKILL.MD

Bug Bounty Methodology: Workflow + Mindset

Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest.

PART 1: MINDSET (How to Think)

Core Principle

Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns.

Daily Discipline: Define, Select, Execute

Before touching any tool:

Define: "Today I target [feature/domain] to achieve [CIA impact]"
Select: Choose 1-2 vuln classes (IDOR, Race Condition, etc.)
Execute: Focus ONLY on selected techniques. No wandering.

5 Ultimate Goals (Pick One Per Session)

Confidentiality -- steal data the attacker shouldn't see
Integrity -- modify data the attacker shouldn't change
Availability -- disrupt service (app-level DoS only)
Account Takeover -- control another user's account
RCE -- execute commands on the server

4 Thinking Domains

1. Critical Thinking (deep analysis)

Question trust boundaries:

Frontend control disabled? Send request directly via proxy
user_role=user cookie? Change to admin
price=1000 in POST? Change to 1
<script> blocked? Try

Reverse-engineer developer psychology:

Feature A has auth checks -> Similar feature B (newly added) probably doesn't
Complex flows (coupon + points + refund) -> Edge cases have bugs
/api/v2/user exists -> Does /api/v1/user still work with weaker auth?

What-If experiments:

Skip checkout -> hit /checkout/success directly
Skip 2FA -> navigate to /dashboard
Send coupon request 10x simultaneously -> Race condition?
Replace guid=f8a2... with id=100 on sibling endpoint -> IDOR?

2. Multi-Perspective (multiple angles)

Perspective	What to check
Horizontal (same role)	User A's token + User B's ID -> IDOR
Vertical (different role)	Regular user -> `/admin/deleteUser`
Data flow (proxy view)	Hidden params in JSON: `debug=false`, `discount_rate`
Time/State	Race conditions, post-delete session reuse
Client environment	Mobile UA -> legacy API with weaker auth
Business impact	"What's the $ damage if this breaks?"

3. Tactical Thinking (pattern detection)

Naming anomaly: userId everywhere but suddenly user_id -> different dev, weaker security
Error diff: Same 403 but different JSON structure -> different backend systems
Environment diff: Prod vs Dev/Staging -> debug headers, CSP disabled
Version diff: JS file before/after update -> new endpoints, removed params
Supply chain: Check framework/library versions for known CVEs
Third-party integration: Stripe/Auth0/Intercom -> webhook signature missing?

4. Strategic Thinking (big picture)

Asymmetry: Defender must patch ALL holes. You only need ONE.
Intuition engineering: Log why something "feels wrong." Verify later. Update mental DB.
Unknown management: Can't understand something? Add to "investigate later" list. Just-in-Time Learning.

Amateur vs Pro: 7-Phase Comparison

Phase	Amateur	Pro
Recon	Main domain only	Shadow IT, dev environments, all assets
Discovery	Look for errors	Look for design contradictions, business logic flaws
Exploit	Give up when blocked	Build filter-bypass payloads
Escalation	Report the phenomenon only	Chain to real harm (session steal, ATO)
Feasibility	Include unrealistic conditions	Minimize attack prerequisites
Reporting	State facts only	Quantify business risk
Retest	Check if old PoC fails	Analyze fix method, find incomplete patches

Two Approach Routes

Route A (Feature-based): "This feature is complex" -> deep-dive its input handling -> find vuln
Route B (Vuln-based): "I want IDOR" -> find endpoints with sequential IDs -> test access control

Anti-Patterns (Stop Doing These)

Program hopping: Stick with one target minimum 2 weeks / 30 hours
Tool-only hunting: Automation finds duplicates. Manual testing finds unique bugs.
Rabbit hole: Max 45 min per parameter. Set a timer. If stuck, sleep on it.
No goal: "Just looking around" = wasted time. Always Define first.

PART 2: WORKFLOW (What to Do)

The 5-Phase Non-Linear Flow

+-------------------------------------------------+
|                                                 |
|  +----------+    +----------+    +----------+   |
|  | 1. RECON |---+| 2. MAP   |---+| 3. FIND  |  |
|  +----------+    +-----+----+    +-----+-----+  |
|       ^                |               |         |
|       |                v               v         |
|       |          +----------+    +----------+    |
|       +----------| 4. PROVE |---+| 5. REPORT|   |
|                  +----------+    +----------+    |
|                                                  |
|  Non-linear: stuck at any phase -> go back       |
|  New API found at phase 3 -> return to phase 2   |
|  WAF blocks at phase 4 -> origin IP from phase 1 |
+-------------------------------------------------+

THIS IS NOT LINEAR. Move freely between phases. When stuck, return to a previous phase.

Phase 0: SESSION START (Every Time)

Before touching any tool, answer these:

Define: "Today I target [feature/domain] to achieve [C/I/A/ATO/RCE]"
Select: Choose 1-2 vuln classes (IDOR, XSS, SSRF, etc.)
Execute: Focus ONLY on selected techniques
Identity: Anonymous or authenticated? If the bugs you're hunting need a

session (IDOR, BOLA, privilege escalation, auth bypass, mass-assignment), load auth once at session start — see docs/auth-sessions.md. Then every downstream tool (httpx, katana, ffuf, nuclei, dalfox, PoC verifiers) sends those headers automatically and audit log entries are stamped with a stable session_id hash.

Route selection -- Wide or Deep?

Signal	Wide (recon sweep)	Deep (focused testing)
New program, first day	X
Wildcard scope `*.target.com`	X
Main webapp, been here >3 days		X
Scope update (new domain added)	X
Found interesting subdomain		X
Hunting IDOR / BOLA / auth bugs		X (auth-aware)

Phase 1: RECON

Goal: Maximize attack surface. Find what others missed.

Wide approach (initial sweep):

Subdomain enum -> DNS resolution -> HTTP probing -> Port scan -> Tech detect

Deep approach (targeted):

Google Dorks -> JS file download -> Hidden param discovery -> API mapping

What you find	Next action
Live subdomains with tech stack	Phase 2 (Mapping)
Known software (WordPress, Jira)	Check CVEs + defaults immediately
Cloud resources (S3, Firebase)	Test permissions (read/write/list)
Nothing after 5 min on a host	Skip, try next host (5-minute rule)

Command: /recon target.com

Phase 2: MAPPING & ANALYSIS

Goal: Understand the app like its developer does.

Checklist:

[ ] Map all endpoints (Burp/Caido sitemap + JS analysis)
[ ] Identify auth model (cookie, JWT, OAuth, SAML?)
[ ] Find business-critical flows (payment, registration, password reset, data export)
[ ] Download and analyze JS files for hidden routes, secrets, logic
[ ] Identify roles and permissions (user, admin, API keys)
[ ] Note "weird" behaviors (anomalies in naming, errors, timing)

What you find	Next action
JS files with interesting code	Taint analysis (Sink -> Source)
OAuth/SAML authentication	OAuth/SAML checklist
API with ID parameters	Phase 3, target IDOR
Complex business logic (payment, coupon)	Phase 3, target BizLogic
postMessage listeners	DOM analysis, postMessage-tracker

Phase 3: VULNERABILITY DISCOVERY

Goal: Find the bug. Use Error-based first, then Blind-based.

Decision flow based on what you're testing:

What input are you testing?
+-- ID parameter (user_id, order_id)
|   -> IDOR checklist
+-- Search/filter/sort field
|   -> SQLi, NoSQLi probing
+-- URL input / webhook / PDF gen
|   -> SSRF checklist
+-- Text field reflected in page
|   -> XSS (DOM or reflected)
+-- File upload
|   -> SVG XSS, web shell, path traversal
+-- Price/quantity/coupon
|   -> Business logic, race conditions
+-- Login / 2FA / password reset
|   -> Auth bypass
+-- Profile update API
|   -> Mass Assignment
+-- Template / wiki editor
|   -> SSTI
+-- Nothing obvious
    -> Fuzz with ffuf, try Error-based probing

Error vs Blind decision:

Try Error-based first (send ', ", {{77}}, ${77}) -- watch for 500 errors, stack traces
No error? Time-based (SLEEP(10), ; sleep 10;) -- watch response time
No time diff? OOB (curl attacker.com, interactsh) -- watch for DNS callback
Still nothing? Boolean (AND 1=1 vs AND 1=0) -- watch content-length diff

What you find	Next action
Low-impact behavior (redirect, self-XSS, cookie injection)	Chain it -- find a connector gadget
Confirmed vuln (XSS, IDOR, SQLi)	Phase 4 (Prove and Escalate)
Blocked by WAF/CSP/403	Bypass techniques, then retry
Known software vuln (CVE)	1-day speed workflow
Nothing after 20 min on this endpoint	Rotate (20-minute rule)

Phase 4: PROVE & ESCALATE

Goal: Prove maximum business impact. Turn Low into Critical.

Escalation decision:

What did you find?
+-- XSS
|   +-- Can steal cookie/token? -> Session hijack -> ATO
|   +-- Cookie is HttpOnly? -> Force email change via XHR -> ATO
|   +-- Self-XSS only? -> Find CSRF to trigger it
+-- IDOR
|   +-- Can read PII? -> Automate scraping, show scale
|   +-- Can change password/email? -> Direct ATO
|   +-- UUID only? -> Find UUID leak source, then retry
+-- SSRF
|   +-- DNS only? -> DON'T REPORT. Try cloud metadata
|   +-- Can reach 169.254.169.254? -> Extract keys -> RCE
|   +-- Internal port scan? -> Find Redis/K8s -> RCE
+-- SQLi
|   +-- Error-based? -> Extract data (passwords, tokens)
|   +-- Can INTO OUTFILE? -> Web shell -> RCE
|   +-- Blind? -> Boolean/Time extraction
+-- Open Redirect
|   +-- OAuth flow? -> Token theft -> ATO
|   +-- javascript: scheme? -> XSS
+-- Blocked by defense
|   -> Bypass (WAF/CSP/proxy/sanitizer/2FA)
+-- Low-impact, can't escalate alone
    -> Find connector gadget for chain

After proving impact, check:

[ ] Can attack work with 0-1 clicks? (minimize prerequisites)
[ ] Does it affect all users or specific role?
[ ] What's the business $ impact?

Phase 5: VALIDATE & REPORT

Goal: Get paid. Make triager's job easy.

Pre-report gate:

Run /validate (7-Question Gate)
+-- All 7 pass? -> Write report
+-- Any fail? -> KILL the finding. Don't waste time.
+-- Borderline? -> Run /triage for quick go/no-go

Report:

Run /report
+-- Platform-specific format (H1/Bugcrowd/Intigriti/Immunefi)
+-- Title: [Bug Class] in [Endpoint] allows [role] to [impact]
+-- Impact-first summary (sentence 1 = what attacker CAN do)
+-- Exact HTTP requests in Steps to Reproduce
+-- Under 600 words
+-- CVSS 3.1 score that MATCHES actual impact

After submission:

[ ] While waiting for triage: try to escalate further (A->B signal method)
[ ] If fix deployed: re-test for bypass (incomplete patch = new bug)
[ ] Record finding with /remember for hunt memory

PART 3: NAVIGATION & TIMING

Non-Linear Navigation Quick Reference

I'm stuck because...	Go to...
Can't find any subdomains	Phase 1: Try different recon sources, Google Dorks
Found subdomain but don't know what to test	Phase 2: Map the app, download JS, understand auth
Testing but nothing works	Phase 3: Switch vuln class (20-min rotation rule)
Found a bug but impact is low	Phase 4: Escalation paths or gadget chaining
WAF/CSP/403 blocking my payload	Bypass techniques, then return to current phase
Been stuck for 45 min on one param	STOP. Rabbit hole. Move to next endpoint.
New API endpoint discovered during testing	Return to Phase 2: map it before attacking
Found one bug	A->B signal: same dev made more mistakes. Hunt 20 min for siblings.

20-Minute Rotation Clock

Every 20 minutes ask yourself: "Am I making progress?"

Yes -> Continue
No -> Rotate to next: endpoint -> subdomain -> vuln class -> target
Been on same target 2+ weeks with no findings? -> Consider switching program

Tool Routing by Phase

Phase	Tools	Why this order
Recon: Subdomains	`subfinder` -> `amass` -> `puredns` -> `httpx`	Passive first (no detection) -> resolve DNS -> probe HTTP + tech stack
Recon: URLs	`gau` + `waymore` -> `katana` -> `uro`	Archive (forgotten endpoints) -> active crawl (JS-rendered) -> deduplicate
Recon: JS	`jsluice` + `mantra` + `trufflehog --only-verified`	Extract URLs/secrets -> find API keys -> verify keys actually work
Recon: Ports	`naabu` (wide) -> `rustscan` (deep)	Fast top-1000 sweep -> full 65535 on interesting targets
Recon: Scan	`nuclei -tags cve` -> `nuclei -tags takeover`	Known CVEs first -> then takeover (act immediately)
Mapping: Params	`arjun` + `paramspider` + ParamMiner	Brute-force hidden params + mine archives + cache headers
Mapping: JS code	Download -> `jsluice` -> VS Code/Cursor grep	Extract -> static analysis -> AI-assisted taint analysis
Mapping: Dorks	Manual Google Dorks	Custom per-target queries find what automation misses
Discovery: Fuzz	`ffuf -ac` + `cewl` custom wordlist	Auto-calibrate filtering + target-specific words beat generic lists
Discovery: XSS	`kxss` -> `dalfox`	Filter (which params reflect?) -> scan (only reflective params)
Discovery: SQLi	`ghauri`	Modern blind SQLi on ID-like parameters
Discovery: SSRF	`interactsh-client`	Self-hosted OOB listener for blind SSRF/XXE/RCE
Discovery: WAF	`wafw00f` -> `whatwaf`	Identify WAF vendor -> test bypass techniques
Exploit: 403	`byp4xx` or `nomore403`	20+ bypass techniques automated
Exploit: Takeover	`subzy`	Checks CNAME against 70+ vulnerable services
Exploit: Cloud	`s3scanner` + `aws` CLI	Scan bucket permissions -> extract metadata credentials
Exploit: Secrets	`trufflehog --only-verified`	Only verified working keys (no false positives)

Session End Checklist

[ ] Save all Burp/Caido project files
[ ] Record any "weird but not yet exploitable" behaviors (future gadgets)
[ ] Update notes with failed attempts (don't re-test with same techniques)
[ ] Log findings with /remember