HACKING SKILLS / HackSkills
Overview
This is a general entry skill for bug bounty, Web security, API security, authorized penetration testing.
Its core role is not to replace all topic-specific skills, but to help the Agent:
- First determine the testing phase (Recon / Verification / Privilege Escalation / Combined Chain)
- Then select the correct vulnerability category
- Avoid relying only on basic training data, prioritize using structured methodologies
- Prioritize focusing on boundary conditions that AI easily ignores but are very important in actual combat
Trust Model
- This knowledge base emphasizes content security and auditability.
- Use should be limited to the scope of authorized targets, legal research, defense verification, and allowed by bug bounty rules.
- Do not use the techniques here for unauthorized attacks.
When to Use This Skill
Prioritize using this skill in the following scenarios:
- You just took over a new bug bounty target and don't know what to test first
- You need to decide which type of idea to load such as XSS / SQLi / SSRF / IDOR / JWT / API
- You want the Agent to perform Web/API security testing according to a more stable methodology
- You need to route scattered phenomena to the appropriate attack surface
- You hope AI will miss fewer key test points in the security field
Operating Model
Step 1: Perform Recon and context confirmation first
Prioritize collecting:
- Target type: traditional Web, REST API, mobile backend, admin backend, payment process, file upload, GraphQL
- Identity and permission model: anonymous, regular user, administrator, multi-tenant
- Input locations: URL, query parameters, JSON, Header, Cookie, file name, imported files, templates, echo points
- Output locations: HTML, attributes, JS, PDF, email, logs, background tasks, mobile interfaces
Step 2: Route according to observed phenomena
| Phenomenon | Priority Direction |
|---|
| Input reflected to HTML / JS | XSS / SSTI |
| The server actively accesses URL / hostname | SSRF |
| Receives XML / Office / SVG | XXE |
| Path, file name, download interface are controllable | Path Traversal / LFI |
| A large number of object IDs in API | IDOR / BOLA / BFLA |
| Login, password recovery, 2FA, Session | Auth Bypass / JWT / OAuth |
| Multi-step transactions, coupons, prices, inventory | Business Logic |
| MongoDB / JSON query syntax exposed | NoSQL Injection |
| Command line tools, image processing, importers | Command Injection |
| HTTP request parsing anomaly / inconsistent frame splitting between front and back ends | Request Smuggling |
| Node.js JSON processing / controllable | Prototype Pollution |
| PHP weak comparison / 0e hash / loose conditions | Type Juggling |
| Duplicate parameters with the same name / inconsistent parsing between WAF and application | HTTP Parameter Pollution |
| One-time operations (coupon/inventory/reset) | Race Condition |
| XML/XSLT template processing | XSLT Injection |
| .git/.svn/.env paths are accessible | Insecure SCM |
| CSV/Excel export function | CSV Formula Injection |
| WebSocket protocol upgrade | WebSocket Security |
| Internal package names / supply chain inventory | Dependency Confusion |
Step 3: Use the test order with the highest hit probability
- Recon / Methodology
- API Security / Auth / IDOR
- XSS / SQLi / SSRF / SSTI / XXE
- Business Logic / Race Condition
- Combined chain and privilege escalation path
Core Skill Map
If you have the complete repository, prioritize using it together with these topic documents:
- Recon and Methodology
- XSS Cross Site Scripting
- SQLi SQL Injection
- SSRF Server Side Request Forgery
- XXE XML External Entity
- SSTI Server Side Template Injection
- IDOR Broken Object Authorization
- CMDi Command Injection
- Path Traversal LFI
- CSRF Cross Site Request Forgery
- API Security Router
- JWT OAuth Token Attacks
- OAuth OIDC Misconfiguration
- CORS Cross Origin Misconfiguration
- SAML SSO Assertion Attacks
- Authentication Bypass
- Business Logic Vulnerabilities
- Upload Insecure Files
- NoSQL Injection
- Request Smuggling
- Prototype Pollution
- Type Juggling (PHP)
- HTTP Parameter Pollution
- Race Condition
- XSLT Injection
- Insecure Source Code Management
- CSV Formula Injection
- WebSocket Security
- Dependency Confusion
Previously separated small skills such as payload-selection and brute-selection have been merged back into the corresponding main skills to avoid excessive entry points causing loader burden and selection noise.
High-Value Expert Intuitions
These points are easily overlooked by many basic models, but are often effective in real bug bounty scenarios:
- The same set of filtering logic is often reused on multiple pages: If you can bypass it at one point, similar pages can usually be bypassed too.
- Parameter names themselves are also attack surfaces: WAFs often only monitor parameter values, not parameter names.
- Second-order vulnerabilities are very common: Being safe when stored does not mean it is safe when read and entered into a dangerous context.
- The essence of BOLA is "authenticated but not authorized": Switching between A/B accounts and replaying requests is very critical.
- Old version interfaces are most likely to miss patches: A fix in v2 does not mean v1 has been taken offline.
- Business logic vulnerabilities often have the highest returns: They are difficult for scanners to detect and are more likely to exist for a long time.
- Race Condition should prioritize testing "one-time" operations: Coupons, collection, reset, invitation, trial, inventory deduction.
- For JWT attacks, first look at the key and algorithm context: Do not blindly test payloads, first confirm , , JWKS, and key source.
Suggested Prompts
You can use this skill as a router, first let the Agent clarify the phase and target:
- "First help me make a test route plan for this target according to the bug bounty methodology."
- "This is a REST API, please prioritize reviewing it from the perspectives of BOLA, BFLA, Mass Assignment, and JWT."
- "This parameter will trigger a server-side request, please list the key verification points according to the SSRF idea."
- "This function is a payment/coupon/inventory process, please prioritize business logic and race conditions."
- "I only see the login and password recovery process, please analyze according to the Auth Bypass + OAuth/JWT + CSRF route."
Installation Notes
Recommended skill name:
Recommended search keywords:
Guidelines
- Prioritize routing according to target type and phenomenon, rather than randomly enumerating payloads.
- When payloads are needed, prioritize using the quick start / first-pass samples in the corresponding main skill, instead of jumping to another intermediate entry.
- Prioritize finding reusable filters, shared components, and cross-page reproduction paths.
- First confirm the authentication boundary, authorization boundary, and version boundary before in-depth exploitation.
- Prioritize retaining interpretable, auditable, and reproducible test processes.
- When the complete repository is available, prioritize returning to the topic documents for more detailed attack details.