Explore skills

A skill for hunting business logic vulnerabilities, built from 12 public bug bounty reports. It covers issues like coupon-race-stacking, negative-quantity price tampering, decimal/fraction price-field overflow, client-side checkout amount trust, price-per-unit mass-assignment, and archived-price swap.

Identifies and exploits cloud/infrastructure misconfigurations across AWS, GCP, and Azure, such as public storage buckets, exposed services, and leaked credentials.

Skill for hunting CSRF vulnerabilities, developed from 15 public bug bounty reports including modern variants.

Identify LLM/AI feature bugs like prompt injection, indirect injection, exfiltration via tool-use, and ASCII smuggling, covering patterns such as direct injection in user input and indirect injection through model-read documents.

This skill identifies NTLM/Negotiate information disclosure on internet-reachable IIS/SharePoint/Exchange servers. It captures anonymous NTLM Type-2 challenges to leak sensitive internal network details and AD timestamps, often indicating lazy provisioning via default hostnames.

An operational arsenal for authorized external red-team and bug-bounty reconnaissance. It provides concrete probes, wordlists, regexes, dorks, and curl one-liners for subdomain enumeration, GraphQL/Swagger/REST discovery, identity fabric (Entra/Okta/ADFS/Google/SAML/M365), cloud bucket enumeration (S3/GCS/Azure), CDN/WAF bypass, origin discovery, and vendor fingerprinting.

This skill detects SAML/SSO attacks, such as XML Signature Wrapping (XSW1-XSW8), NameID comment injection, signature stripping, and key confusion, which exploit vulnerabilities in SAML assertion and signature processing.

This skill hunts on-prem Microsoft SharePoint Server farms (2013/2016/2019/Subscription Edition) to discover vulnerabilities. It performs anonymous endpoint enumeration, version disclosure, legacy SOAP login bypass, and exploits specific CVEs, including those in end-of-life systems.

A skill designed to hunt for SSRF vulnerabilities, developed from 15 public bug bounty reports. It covers various types including AWS, GCP, and Azure metadata SSRF, as well as DNS rebinding SSRF.

A skill for hunting subdomain vulnerabilities, built from 15 public bug bounty reports. It includes modern provider fingerprints for services like Microsoft Azure DevOps, Zendesk, Vercel, and AWS, detailing specific takeover methods.

Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments, covering a 5-stage recon pipeline, 29 asset types, severity rubric, confidence workflows, time budgeting, and asset-level triage.

Red-team operator discipline involves mindset corrections that distinguish offensive testing from defensive WAPT. This approach, developed from authorized red-team work, addresses how conservative defaults can lead to missed findings. Apply it at the start of any red-team engagement and whenever you feel stuck on a defended target.