hunt-csrf

Solid

Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.

AI & Automation 1,380 stars 195 forks Updated 4 days ago NOASSERTION

Install

View on GitHub

Quality Score: 85/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
80
License 10%
100
Description 5%
100

Skill Content

## Crown Jewel Targets CSRF becomes high-value when it touches **state-changing actions with account-level or financial consequences**. The highest-paying targets are: - **Account takeover vectors**: OAuth/SSO flows (RelayState manipulation), social account linking/unlinking (Oculus-Facebook, SocialClub), import-friends features that expose OAuth tokens - **Authentication infrastructure**: Login CSRF, session fixation via CSRF, forced account association - **API endpoints accepting cross-origin POST**: JSON APIs, heartbeat/activity APIs, anything that skips Content-Type enforcement - **Third-party integrations**: Grafana, monitoring dashboards, embedded analytics — often lag on CSRF protections - **Social platforms**: Twitter/X collections, friend imports, social graph mutations — high-volume, authenticated actions with real user impact **Asset types that pay most:** Core product auth flows > API gateways > third-party integrations running on subdomains > admin panels. --- ## Attack Surface Signals ### URL Patterns ``` /oauth/authorize?RelayState= /accounts/link /import/friends /api/v*/heartbeat /api/v*/collect /monitoring/* (Grafana, Prow, Prometheus) /auth/saml/callback /connect/* (social integrations) ``` ### Response Header Signals ``` # Missing or weak SameSite cookie attributes Set-Cookie: session=abc123; HttpOnly # no SameSite = vulnerable Set-Cookie: session=abc123; SameSite=None # explicitly allows cross-site # Missing CSRF headers # No X-Frame-Optio...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
3 weeks ago
Last Updated
4 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI GitLab · DevTools Grafana · Monitoring OAuth · Auth GraphQL · API WebSocket · API

Similar Skills

Semantically similar based on skill content — not just same category

Data & Documents Solid

hunt-auth-bypass

Hunting skill for auth bypass vulnerabilities. Built from 12 public bug bounty reports across SAML XSW / parser-differential (GitHub Enterprise CVE-2025-25291/25292), SAML signature stripping (Uber, Rocket.Chat, samlify CVE-2025-47949), SAML domain enforcement bypass via control characters (HackerOne 2024), partner-portal cross-IdP assertion reuse (Slack), WordPress XMLRPC bypassing SSO (Uber), JWT alg-confusion HS256/RS256 (Jitsi), JWT signature-validation skip (Linktree, Newspack), and token-audience confusion (Argo CD CVE-2023-22482). Use when hunting auth bypass — see the Legacy-Protocol Matrix for branded-UI vs legacy-endpoint patterns.

1,380 Updated 4 days ago
elementalsouls
API & Backend Solid

hunt-oauth

Hunting skill for oauth vulnerabilities. Built from 19 public bug bounty reports. Use when hunting oauth on any target.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-ssrf

Hunting skill for ssrf vulnerabilities. Built from 15 public bug bounty reports including AWS metadata SSRF (HackerOne $25k Analytics PDF, Shopify Exchange $25k, Capital One 106M-record breach, Dropbox/HelloSign $4,913), GCP metadata SSRF (Snapchat $4k), Azure IMDS SSRF (Azure DevOps $15k chain, ChatGPT Custom Actions MSRC), DNS rebinding SSRF (Concrete CMS, GitLab UrlBlocker), gopher-protocol-to-Redis-RCE (Yahoo Mail $15k), link-preview SSRF (Reddit Matrix $6k), and headless-browser PDF-generator SSRF chains. Use when hunting SSRF on any target — OOB Collaborator confirmation mandatory for blind cases.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-misc

Hunting skill for misc vulnerabilities. Built from 225 public bug bounty reports. Use when hunting misc on any target.

1,380 Updated 4 days ago
elementalsouls
AI & Automation Solid

hunt-subdomain

Hunting skill for subdomain vulnerabilities. Built from 15 public bug bounty reports including modern provider fingerprints — Microsoft Azure DevOps `cloudapp.azure.com` regional-pool re-issue (1-click OAuth ATO via wildcard `reply_to`), Zendesk help-desk takeover → email interception → password reset chain ($2k), Vercel `cname.vercel-dns.com` deleted-project takeover (2022 + 2025 confirmed), AWS S3 dangling-bucket cookie-scope chain (Affirm), Smartling translation-SaaS namespace re-claim, Fastly CDN service re-attach (2025), and Shopify storefront `shops.myshopify.com` host-mapping takeover (2025). Use when hunting subdomain takeover — emphasis on ATO-chain primitives (OAuth `redirect_uri`, cookie-domain, email DNS).

1,380 Updated 4 days ago
elementalsouls