Explore skills

Evidence-capture and PoC-redaction discipline for bug-bounty submissions, covering cookie redaction protocols, PII black-bar discipline, and HAR file sanitization.

Hunts ASP.NET-specific vulnerabilities like ViewState deserialization, machineKey recovery, MAC-bypass anti-patterns, and request-validator bypass. It also targets information disclosure, load-balanced ViewState failures, and classic Webforms attack surfaces.

Hunting skill for cache poison vulnerabilities. Built from 10 public bug bounty reports including X-Forwarded-Host poisoning, X-HTTP-Method-Override / GCS cache, reflected→stored XSS via cache, classic Omer-Gil Web Cache Deception, Cloudflare Cache Deception Armor bypass, session-token cache deception, Akamai hop-by-hop smuggling → server-side edge poisoning, and Kettle's 2024 path-normalization W.

An Okta-as-IdP red-team attack chain, encompassing tenant discovery, user and MFA enumeration, authentication flow analysis, password spraying, Okta-specific phishing, and post-compromise admin API surface exploitation.

Detects server-side template injection (SSTI) across various engines like Jinja2, Twig, and Freemarker. It uses server-side evaluated math expressions for detection and escalates to RCE via engine-specific patterns once identified.

This skill codifies a client-facing red-team deliverable format, detailing the Subject, Observations, Description, Impact, Recommendation, and PoC structure for external engagements. It's tailored for a distinct audience and tone compared to bug-bounty reports, originating from an authorized engagement.

Provides security payloads, bypass tables, wordlists, gf pattern names, bug lists, and conditionally-valid-with-chain tables. Use it for specific payloads for vulnerabilities like XSS/SSRF/SQLi, bypass techniques, or to check a finding's submittability and what not to submit.

This skill provides a rigorous validation process for security findings, featuring a 7-Question Gate and pre-submission checks, designed to be used before writing any report to prevent invalid submissions and improve efficiency.

Bugcrowd-specific reporting tactics complement report-writing, covering VRT category search-and-fallback, manual severity override, and a severity-request paragraph. It also includes OOS-clause rebuttal templates for issues like rate limiting on auth-flow endpoints and user enumeration with sensitive PII.

A Cloud IAM red-team attack chain across AWS, Azure, and GCP, focusing on external exploitation and post-credential-discovery privilege analysis. It covers IAM enumeration, STS/AssumeRole chaining, Azure Managed Identity abuse, GCP service account JSON abuse, IMDSv1/v2 attacks, and K8s ServiceAccount token exfiltration.

This skill provides an attack matrix for external SSL VPN/remote-access appliances (Cisco ASA, Fortinet FortiGate, Citrix NetScaler, Palo Alto GlobalProtect, Pulse Secure, SonicWall, F5 Big-IP). It covers version fingerprinting, CVEs (2018-2026), default credentials, configuration disclosure, and pre-authentication exploits like RCE/SSRF/path-traversal.

Account takeover (ATO) taxonomy outlining 9 distinct paths, including password reset flaws, email change without re-authentication, OAuth account-link CSRF, MFA bypass, session fixation, and JWT manipulation.