elementalsouls

This skill details a complete bug bounty workflow, encompassing reconnaissance, pre-hunt learning, and vulnerability hunting for a wide range of common web exploits like IDOR, XSS, and SQLi.

A complete bug bounty workflow encompassing reconnaissance (subdomain enumeration, asset discovery, fingerprinting), pre-hunt learning (disclosed reports, tech stack research), and vulnerability hunting for various issues including IDOR, SSRF, XSS, SQLi, and advanced techniques like GraphQL and HTTP smuggling.

Hunting skill for OAuth vulnerabilities, built from 19 public bug bounty reports. Use when hunting OAuth on any target.

Evidence-capture and PoC-redaction discipline for bug-bounty submissions, covering cookie redaction protocols, PII black-bar discipline, and HAR file sanitization.

Hunts ASP.NET-specific vulnerabilities like ViewState deserialization, machineKey recovery, MAC-bypass anti-patterns, and request-validator bypass. It also targets information disclosure, load-balanced ViewState failures, and classic Webforms attack surfaces.

Hunting skill for authentication bypass vulnerabilities. Developed from 12 public bug bounty reports, covering SAML XSW/parser-differential, SAML signature stripping, SAML domain enforcement bypass, cross-IdP assertion reuse, and WordPress XMLRPC SSO bypass.

Hunting skill for cache poison vulnerabilities. Built from 10 public bug bounty reports including X-Forwarded-Host poisoning, X-HTTP-Method-Override / GCS cache, reflected→stored XSS via cache, classic Omer-Gil Web Cache Deception, Cloudflare Cache Deception Armor bypass, session-token cache deception, Akamai hop-by-hop smuggling → server-side edge poisoning, and Kettle's 2024 path-normalization W.

Discover file upload vulnerabilities like RCE, XSS, SSRF, and path traversal, and learn 10 bypass techniques including double extensions, magic byte spoofing, and .htaccess uploads.

HTTP request smuggling (CL.TE, TE.CL, H2.CL, H2.TE) occurs when front-end proxies and back-end servers disagree on request boundaries due to inconsistencies in parsing Content-Length and Transfer-Encoding headers.

Hunting skill for IDOR vulnerabilities, built from 26 public bug bounty reports. Use when hunting IDOR on any target.

This skill identifies 7 distinct MFA/2FA bypass patterns, including unenforced MFA on sensitive endpoints, step skipping, token replay, brute-forcing OTPs, race conditions, and issues with recovery codes.

A skill for hunting miscellaneous vulnerabilities, built from 225 public bug bounty reports, for use on any target.

An Okta-as-IdP red-team attack chain, encompassing tenant discovery, user and MFA enumeration, authentication flow analysis, password spraying, Okta-specific phishing, and post-compromise admin API surface exploitation.

A skill for hunting SQLi vulnerabilities, developed from 12 public bug bounty reports. It covers modern NoSQL injection, ORM raw-fragment SQLi, second-order SOQL injection, time-based blind SQLi in GraphQL resolvers, and SQLi on OIDC-p.

Detects server-side template injection (SSTI) across various engines like Jinja2, Twig, and Freemarker. It uses server-side evaluated math expressions for detection and escalates to RCE via engine-specific patterns once identified.

A skill for hunting XSS vulnerabilities, built from 174 public bug bounty reports. Use it when searching for XSS on any target.

This skill details a Microsoft 365 / Entra ID red-team attack chain, reflecting current 2026 realities, covering AADSTS codes, user enumeration, Smart Lockout math, Conditional Access bypass, ROPC + SAML SSO flows, and Burp/Playwright templates. It's derived from authorized red-team operations that uncovered pre-existing lockouts and CA-blocked credentials, combined with real-time external attacker observations.

This skill codifies a client-facing red-team deliverable format, detailing the Subject, Observations, Description, Impact, Recommendation, and PoC structure for external engagements. It's tailored for a distinct audience and tone compared to bug-bounty reports, originating from an authorized engagement.

Provides security payloads, bypass tables, wordlists, gf pattern names, bug lists, and conditionally-valid-with-chain tables. Use it for specific payloads for vulnerabilities like XSS/SSRF/SQLi, bypass techniques, or to check a finding's submittability and what not to submit.

This skill provides a rigorous validation process for security findings, featuring a 7-Question Gate and pre-submission checks, designed to be used before writing any report to prevent invalid submissions and improve efficiency.

This Web2 reconnaissance pipeline covers subdomain enumeration, live host discovery, URL crawling, directory fuzzing, and JavaScript analysis, alongside continuous monitoring for new subdomains and code changes. It's ideal for initial recon on any Web2 target or for asset and subdomain discovery.

An end-to-end Android APK red-team pipeline for automated acquisition, decompilation, secret extraction, component enumeration, and runtime instrumentation, developed during an authorized external red-team engagement.

Use this master orchestrator at the start of any bug bounty hunting session, when switching targets, or when feeling lost. It combines a 5-phase non-linear hunting workflow with a critical thinking framework (developer psychology, anomaly detection, What-If experiments), routing to other skills based on the current hunting phase.

Bugcrowd-specific reporting tactics complement report-writing, covering VRT category search-and-fallback, manual severity override, and a severity-request paragraph. It also includes OOS-clause rebuttal templates for issues like rate limiting on auth-flow endpoints and user enumeration with sensitive PII.

A Cloud IAM red-team attack chain across AWS, Azure, and GCP, focusing on external exploitation and post-credential-discovery privilege analysis. It covers IAM enumeration, STS/AssumeRole chaining, Azure Managed Identity abuse, GCP service account JSON abuse, IMDSv1/v2 attacks, and K8s ServiceAccount token exfiltration.

This skill provides an attack matrix for external SSL VPN/remote-access appliances (Cisco ASA, Fortinet FortiGate, Citrix NetScaler, Palo Alto GlobalProtect, Pulse Secure, SonicWall, F5 Big-IP). It covers version fingerprinting, CVEs (2018-2026), default credentials, configuration disclosure, and pre-authentication exploits like RCE/SSRF/path-traversal.

Identifies and exploits API security misconfigurations such as mass assignment, JWT attacks, prototype pollution, CORS, and HTTP verb tampering.

Account takeover (ATO) taxonomy outlining 9 distinct paths, including password reset flaws, email change without re-authentication, OAuth account-link CSRF, MFA bypass, session fixation, and JWT manipulation.

A skill for hunting business logic vulnerabilities, built from 12 public bug bounty reports. It covers issues like coupon-race-stacking, negative-quantity price tampering, decimal/fraction price-field overflow, client-side checkout amount trust, price-per-unit mass-assignment, and archived-price swap.

Identifies and exploits cloud/infrastructure misconfigurations across AWS, GCP, and Azure, such as public storage buckets, exposed services, and leaked credentials.

Skill for hunting CSRF vulnerabilities, developed from 15 public bug bounty reports including modern variants.

Skill-set loader for the /hunt orchestrator. It fingerprints the target, selects appropriate platform attack skills, and loads either the Red Team or WAPT skill set. Used when /hunt receives a mode answer to load relevant skills and print the taxonomy, and is not for direct user invocation.

Hunting skill for GraphQL vulnerabilities, built from 12 public bug bounty reports covering various IDORs, SSRF, DoS, SQLi, broken authorization, and PII exposure. Use this skill when hunting GraphQL on any target.

Identify LLM/AI feature bugs like prompt injection, indirect injection, exfiltration via tool-use, and ASCII smuggling, covering patterns such as direct injection in user input and indirect injection through model-read documents.

This skill identifies NTLM/Negotiate information disclosure on internet-reachable IIS/SharePoint/Exchange servers. It captures anonymous NTLM Type-2 challenges to leak sensitive internal network details and AD timestamps, often indicating lazy provisioning via default hostnames.

A skill for hunting race condition vulnerabilities, developed from 12 public bug bounty reports. It covers modern HTTP/2 single-packet attack cases and common scenarios like coupon double-redemption, gift-card double-spend, MFA-OTP-validate race, account-create race, and crypto token double-spend.

An operational arsenal for authorized external red-team and bug-bounty reconnaissance. It provides concrete probes, wordlists, regexes, dorks, and curl one-liners for subdomain enumeration, GraphQL/Swagger/REST discovery, identity fabric (Entra/Okta/ADFS/Google/SAML/M365), cloud bucket enumeration (S3/GCS/Azure), CDN/WAF bypass, origin discovery, and vendor fingerprinting.

This skill detects SAML/SSO attacks, such as XML Signature Wrapping (XSW1-XSW8), NameID comment injection, signature stripping, and key confusion, which exploit vulnerabilities in SAML assertion and signature processing.

This skill hunts on-prem Microsoft SharePoint Server farms (2013/2016/2019/Subscription Edition) to discover vulnerabilities. It performs anonymous endpoint enumeration, version disclosure, legacy SOAP login bypass, and exploits specific CVEs, including those in end-of-life systems.

A skill designed to hunt for SSRF vulnerabilities, developed from 15 public bug bounty reports. It covers various types including AWS, GCP, and Azure metadata SSRF, as well as DNS rebinding SSRF.

A skill for hunting subdomain vulnerabilities, built from 15 public bug bounty reports. It includes modern provider fingerprints for services like Microsoft Azure DevOps, Zendesk, Vercel, and AWS, detailing specific takeover methods.

This skill is designed for hunting XXE vulnerabilities, built from 10 public bug bounty reports covering various types like OOB, LFI, SSRF, and RCE chains. Use it on any target, emphasizing out-of-band detection.

This skill performs security audits for meme coins and tokens, detecting rug pulls, analyzing Solana SPL tokens, and identifying Token-2022 extension risks. It also covers DEX liquidity pool attacks and integration risks with platforms like pump.fun, Raydium, and Jupiter.

Methodology for detecting client SOC patches, attacker activity, and security-state changes during a red-team engagement, converting these observations into deliverable findings. This approach is based on real red-team work where clients patched vulnerabilities quickly and external attackers were active.

Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments, covering a 5-stage recon pipeline, 29 asset types, severity rubric, confidence workflows, time budgeting, and asset-level triage.

Red-team operator discipline involves mindset corrections that distinguish offensive testing from defensive WAPT. This approach, developed from authorized red-team work, addresses how conservative defaults can lead to missed findings. Apply it at the start of any red-team engagement and whenever you feel stuck on a defended target.

This document outlines the VMware vSphere/vCenter Server external attack matrix, covering version fingerprinting, a chain of high-impact CVEs (including unauthenticated file upload, RCE, SSTI, and APT-exploited vulnerabilities), default credentials, SSO configuration disclosure, and vmdir LDAP enumeration.

Smart contract security audit covering 10 DeFi bug classes (accounting desync, access control, etc.), pre-audit kill signals, Foundry PoC template, grep patterns, and Immunefi examples. Useful for Solidity/Rust audits or evaluating DeFi targets.