hunt-auth-bypass

Solid

Hunting skill for auth bypass vulnerabilities. Built from 12 public bug bounty reports across SAML XSW / parser-differential (GitHub Enterprise CVE-2025-25291/25292), SAML signature stripping (Uber, Rocket.Chat, samlify CVE-2025-47949), SAML domain enforcement bypass via control characters (HackerOne 2024), partner-portal cross-IdP assertion reuse (Slack), WordPress XMLRPC bypassing SSO (Uber), JWT alg-confusion HS256/RS256 (Jitsi), JWT signature-validation skip (Linktree, Newspack), and token-audience confusion (Argo CD CVE-2023-22482). Use when hunting auth bypass — see the Legacy-Protocol Matrix for branded-UI vs legacy-endpoint patterns.

Data & Documents 1,380 stars 195 forks Updated 4 days ago NOASSERTION

Install

View on GitHub

Quality Score: 85/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

## Crown Jewel Targets Auth bypass is consistently one of the highest-paying vulnerability classes in bug bounty because it directly violates the most fundamental security control. High-value targets include: - **SSO/SAML implementations** at enterprise SaaS companies (Slack, Okta, OneLogin integrations) — payouts regularly in the $5K–$25K+ range - **Admin panels and partner/internal portals** — subdomain-separated admin surfaces like `partners.shopify.com`, `admin.company.com` - **Third-party auth plugin integrations** — WordPress plugins (OneLogin, WP-SAML-Auth), Drupal SSO modules, any CMS with pluggable auth - **XMLRPC endpoints** on WordPress — often forgotten, bypasses standard WP auth flows entirely - **OAuth callback flows** — state parameter mishandling, redirect_uri mismatches - **API authentication layers** — especially where auth was bolted on after the fact **Asset priority:** Targets with federated identity (SAML, OAuth, OIDC) connected to large user populations. Partner/reseller portals are particularly juicy because they often have elevated permissions and less security scrutiny than the main product. --- ## Attack Surface Signals **URL patterns to hunt:** ``` /xmlrpc.php /wp-login.php /saml/ /sso/ /auth/saml/callback /oauth/callback /partners.* /admin.* /?wc-api= /api/v*/auth /login?redirect= /accounts/login ``` **Response headers signaling SSO:** ``` X-Frame-Options: SAMEORIGIN (common on SSO portals) Set-Cookie: SAMLResponse= Location: https://idp.co...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
3 weeks ago
Last Updated
4 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Shopify · Commerce WordPress · CMS

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

hunt-csrf

Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-misc

Hunting skill for misc vulnerabilities. Built from 225 public bug bounty reports. Use when hunting misc on any target.

1,380 Updated 4 days ago
elementalsouls
API & Backend Solid

hunt-oauth

Hunting skill for oauth vulnerabilities. Built from 19 public bug bounty reports. Use when hunting oauth on any target.

1,380 Updated 4 days ago
elementalsouls
API & Backend Listed

hunt-saml

Hunt SAML / SSO attacks. Patterns: XML Signature Wrapping (XSW1-XSW8) — modify Assertion while keeping Signature valid by relocating signed element, comment injection in NameID (admin@target.com<!--evil-->@attacker.com → some parsers see admin@target.com), signature stripping (remove Signature element entirely, server should reject but doesn't), key confusion (signed by attacker's IdP, accepted by SP), audience-restriction not validated, replay attack (same Assertion accepted twice within validity window). Tools: SAML Raider Burp extension, samlmagic, manual XML manipulation. Detection: any /saml endpoint, /Shibboleth.sso, /sso/saml/, Microsoft ADFS endpoints. Validate: account takeover via altered NameID, admin role injection via altered AttributeStatement. Real paid examples on Auth0, Okta, Microsoft, custom SAML implementations. Use when hunting SSO flows, when SAML AssertionConsumerService is reachable, when chaining IdP-trust to SP-impersonation.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-xss

Hunting skill for xss vulnerabilities. Built from 174 public bug bounty reports. Use when hunting xss on any target.

1,380 Updated 4 days ago
elementalsouls