hunt-cache-poison

Solid

Hunting skill for cache poison vulnerabilities. Built from 10 public bug bounty reports including X-Forwarded-Host poisoning, X-HTTP-Method-Override / GCS cache, reflected→stored XSS via cache, classic Omer-Gil Web Cache Deception, Cloudflare Cache Deception Armor bypass, session-token cache deception, Akamai hop-by-hop smuggling → server-side edge poisoning, and Kettle's 2024 path-normalization WCD against Cloudflare/Fastly/GCP. Use when hunting cache poisoning, Web Cache Deception, CDN-fronted apps.

DevOps & Infrastructure 1,380 stars 195 forks Updated 4 days ago NOASSERTION

Install

View on GitHub

Quality Score: 85/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

## Crown Jewel Targets Cache poisoning is high-value because a single poisoned cache entry can affect thousands or millions of victims simultaneously — one request, mass exploitation. Payout scales with blast radius. **Highest-value targets:** - **CDN-served assets** (cdn.shopify.com, cloudfront distributions, Fastly/Akamai edges) — poisoning these affects every visitor globally - **E-commerce platforms** with affiliate/referral flows (Shopify, WooCommerce storefronts) — session hijack or affiliate fraud potential - **Gaming platforms with update servers** (rockstargames updates.* domains) — DoS on update delivery = widespread client breakage - **Authentication endpoints** served through caches — leads to account takeover (the highest severity variant) - **Asset CDNs** (JS/CSS delivery) — XSS payload delivery at scale - **SaaS multi-tenant platforms** — one poisoned response bleeds into all tenants sharing a cache key **Asset types that pay most:** CDN hostnames, subdomain-per-tenant patterns, update/download servers, login/account pages cached incorrectly, affiliate link shorteners. --- ## Attack Surface Signals **URL patterns to look for:** - `cdn.`, `assets.`, `static.`, `updates.`, `downloads.` subdomains - URL path structures with extensions that look static: `/path/to/page.css`, `/account.php/nonexistent.jpg` - Affiliate/link shortener endpoints: `/link/`, `/go/`, `/ref/`, `/out/` - Paths that mix dynamic content with cacheable-looking URLs **Response headers tha...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
3 weeks ago
Last Updated
4 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Cloudflare · Cloud Shopify · Commerce

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-web-cache-poisoning-attack

Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.

12,642 Updated today
mukul975
DevOps & Infrastructure Listed

cache-poisoning-dos

How to test for web cache poisoning vulnerabilities that can lead to denial of service. Use this skill whenever the user mentions cache servers, CDNs, DoS attacks, web server vulnerabilities, HTTP headers, Cloudflare, or any scenario where they want to test if error responses can be cached and served to legitimate users. This includes testing for header-based attacks, method override vulnerabilities, and cache key manipulation.

12 Updated 2 months ago
abelrguezr
AI & Automation Solid

hunt-xss

Hunting skill for xss vulnerabilities. Built from 174 public bug bounty reports. Use when hunting xss on any target.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-csrf

Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-subdomain

Hunting skill for subdomain vulnerabilities. Built from 15 public bug bounty reports including modern provider fingerprints — Microsoft Azure DevOps `cloudapp.azure.com` regional-pool re-issue (1-click OAuth ATO via wildcard `reply_to`), Zendesk help-desk takeover → email interception → password reset chain ($2k), Vercel `cname.vercel-dns.com` deleted-project takeover (2022 + 2025 confirmed), AWS S3 dangling-bucket cookie-scope chain (Affirm), Smartling translation-SaaS namespace re-claim, Fastly CDN service re-attach (2025), and Shopify storefront `shops.myshopify.com` host-mapping takeover (2025). Use when hunting subdomain takeover — emphasis on ATO-chain primitives (OAuth `redirect_uri`, cookie-domain, email DNS).

1,380 Updated 4 days ago
elementalsouls