hunt-business-logic

Solid

Hunting skill for business logic vulnerabilities. Built from 12 public bug bounty reports. Covers coupon-race-stacking (Instacart, Stripe, Reverb), negative-quantity-in-cart price tampering (Upserve, Eternal/Zomato), decimal/fraction price-field overflow (Shipt), client-side checkout amount trust on PayPal redirect (WordPress.org), price-per-unit mass-assignment (Krisp), and archived-price swap / cart-TOCTOU (Stripe). Use when hunting business logic — heavy emphasis on financial-impact-demonstrated cases.

Data & Documents 1,380 stars 195 forks Updated 4 days ago NOASSERTION

Install

View on GitHub

Quality Score: 85/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

## Crown Jewel Targets Business logic vulnerabilities pay highest in platforms where financial transactions, identity verification, and access controls intersect with real-world consequences. The richest targets are: - **E-commerce & payment platforms** (Valve/Steam, Shopify) — payment flow manipulation, free goods, price tampering - **Marketplace & gig economy apps** (Airbnb, Uber) — identity/verification bypass enabling fraud or unsafe interactions - **SaaS with tiered access** (Mozilla Monitor) — bypassing verification to unlock monitoring features without entitlement - **High-traffic consumer apps** (Snapchat, Yelp) — rate-limit bypass enabling spam, enumeration, or abuse at scale Asset types that pay: checkout flows, subscription endpoints, callback/verification systems, webhook handlers, employee/internal portals exposed to the internet, and any endpoint that trusts client-supplied data to make authorization decisions. --- ## Attack Surface Signals **URL patterns to watch:** - `/checkout`, `/order`, `/subscribe`, `/payment`, `/verify`, `/confirm`, `/callback` - `/internal`, `/employee`, `/summit`, `/staff`, `/admin` — internal pages accidentally public - `/api/v*/payment`, `/api/v*/notify`, `/webhook` — payment provider callbacks - Endpoints accepting `X-Forwarded-For`, `X-Real-IP`, `CF-Connecting-IP` headers **Response/header signals:** - `Set-Cookie` with unvalidated session state tied to cart or order data - Payment provider names in responses: `Smart2Pay`, `S...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
3 weeks ago
Last Updated
4 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Shopify · Commerce WordPress · CMS

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

hunt-misc

Hunting skill for misc vulnerabilities. Built from 225 public bug bounty reports. Use when hunting misc on any target.

1,380 Updated 4 days ago
elementalsouls
Data & Documents Solid

hunt-auth-bypass

Hunting skill for auth bypass vulnerabilities. Built from 12 public bug bounty reports across SAML XSW / parser-differential (GitHub Enterprise CVE-2025-25291/25292), SAML signature stripping (Uber, Rocket.Chat, samlify CVE-2025-47949), SAML domain enforcement bypass via control characters (HackerOne 2024), partner-portal cross-IdP assertion reuse (Slack), WordPress XMLRPC bypassing SSO (Uber), JWT alg-confusion HS256/RS256 (Jitsi), JWT signature-validation skip (Linktree, Newspack), and token-audience confusion (Argo CD CVE-2023-22482). Use when hunting auth bypass — see the Legacy-Protocol Matrix for branded-UI vs legacy-endpoint patterns.

1,380 Updated 4 days ago
elementalsouls
Data & Documents Solid

hunt-race-condition

Hunting skill for race condition vulnerabilities. Built from 12 public bug bounty reports including modern HTTP/2 single-packet attack cases (James Kettle DEF CON 2023 "Smashing the State Machine"; RyotaK / Flatt Security 10,000-request first-sequence-sync expansion 2024). Covers coupon double-redemption, gift-card double-spend, MFA-OTP-validate race, account-create race, faucet/crypto token double-mint, email-activation race, vote/upvote inflation, password-reset token race, rate-limit bypass via concurrent requests. Use when hunting race conditions, TOCTOU bugs, MFA-bypass-via-timing.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-csrf

Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.

1,380 Updated 4 days ago
elementalsouls
API & Backend Solid

hunt-oauth

Hunting skill for oauth vulnerabilities. Built from 19 public bug bounty reports. Use when hunting oauth on any target.

1,380 Updated 4 days ago
elementalsouls