hack

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

HACKING SKILLS / HackSkills

Overview

这是一个面向 漏洞赏金、Web 安全、API 安全、授权渗透测试 的总入口技能。

它的核心作用不是替代所有专题技巧，而是帮助 Agent：

先确定测试阶段（Recon / 验证 / 提权 / 组合链）
再选择正确的漏洞类别
避免只依赖基础训练数据，优先使用结构化方法论
优先关注 AI 容易忽略但在实战里很重要的边界条件

This is a general entry skill for bug bounty, Web security, API security, authorized penetration testing.

Its core role is not to replace all topic-specific skills, but to help the Agent:

First determine the testing phase (Recon / Verification / Privilege Escalation / Combined Chain)
Then select the correct vulnerability category
Avoid relying only on basic training data, prioritize using structured methodologies
Prioritize focusing on boundary conditions that AI easily ignores but are very important in actual combat

Trust Model

本知识库强调内容安全与可审查性。
使用时应限定在 授权目标、合法研究、防御验证、漏洞赏金规则允许 的范围内。
不要把这里的技巧用于未授权攻击。

This knowledge base emphasizes content security and auditability.
Use should be limited to the scope of authorized targets, legal research, defense verification, and allowed by bug bounty rules.
Do not use the techniques here for unauthorized attacks.

When to Use This Skill

在以下场景优先使用本技能：

你刚接手一个新的漏洞赏金目标，不知道先测什么
你需要决定应该加载 XSS / SQLi / SSRF / IDOR / JWT / API 等哪类思路
你想让 Agent 按更稳定的方法论进行 Web/API 安全测试
你需要把零散的现象路由到合适的攻击面
你希望 AI 在安全领域少漏掉关键测试点

Prioritize using this skill in the following scenarios:

You just took over a new bug bounty target and don't know what to test first
You need to decide which type of idea to load such as XSS / SQLi / SSRF / IDOR / JWT / API
You want the Agent to perform Web/API security testing according to a more stable methodology
You need to route scattered phenomena to the appropriate attack surface
You hope AI will miss fewer key test points in the security field

Operating Model

Step 1: 先做 Recon 和上下文确认

Step 1: Perform Recon and context confirmation first

优先收集：

目标类型：传统 Web、REST API、移动端后端、管理后台、支付流程、文件上传、GraphQL
身份与权限模型：匿名、普通用户、管理员、多租户
输入位置：URL、查询参数、JSON、Header、Cookie、文件名、导入文件、模板、回显点
输出位置：HTML、属性、JS、PDF、邮件、日志、后台任务、移动端接口

Prioritize collecting:

Target type: traditional Web, REST API, mobile backend, admin backend, payment process, file upload, GraphQL
Identity and permission model: anonymous, regular user, administrator, multi-tenant
Input locations: URL, query parameters, JSON, Header, Cookie, file name, imported files, templates, echo points
Output locations: HTML, attributes, JS, PDF, email, logs, background tasks, mobile interfaces

Step 2: 按观察到的现象路由

Step 2: Route according to observed phenomena

现象	优先方向
输入反射到 HTML / JS	XSS / SSTI
服务端会主动访问 URL / 主机名	SSRF
接收 XML / Office / SVG	XXE
路径、文件名、下载接口可控	Path Traversal / LFI
API 中大量对象 ID	IDOR / BOLA / BFLA
登录、找回密码、2FA、Session	Auth Bypass / JWT / OAuth
多步骤交易、优惠券、价格、库存	Business Logic
MongoDB / JSON 查询语法暴露	NoSQL Injection
命令行工具、图像处理、导入器	Command Injection
HTTP 请求解析异常 / 前后端分帧不一致	Request Smuggling
Node.js JSON 处理 / `__proto__` 可控	Prototype Pollution
PHP 弱比较 / 0e hash / 松散条件	Type Juggling
同名参数重复 / WAF 与应用解析不一致	HTTP Parameter Pollution
一次性操作（优惠券/库存/重置）	Race Condition
XML/XSLT 模板处理	XSLT Injection
.git/.svn/.env 路径可访问	Insecure SCM
导出 CSV/Excel 功能	CSV Formula Injection
WebSocket 协议升级	WebSocket Security
内部包名 / 供应链清单	Dependency Confusion

Phenomenon	Priority Direction
Input reflected to HTML / JS	XSS / SSTI
The server actively accesses URL / hostname	SSRF
Receives XML / Office / SVG	XXE
Path, file name, download interface are controllable	Path Traversal / LFI
A large number of object IDs in API	IDOR / BOLA / BFLA
Login, password recovery, 2FA, Session	Auth Bypass / JWT / OAuth
Multi-step transactions, coupons, prices, inventory	Business Logic
MongoDB / JSON query syntax exposed	NoSQL Injection
Command line tools, image processing, importers	Command Injection
HTTP request parsing anomaly / inconsistent frame splitting between front and back ends	Request Smuggling
Node.js JSON processing / `__proto__` controllable	Prototype Pollution
PHP weak comparison / 0e hash / loose conditions	Type Juggling
Duplicate parameters with the same name / inconsistent parsing between WAF and application	HTTP Parameter Pollution
One-time operations (coupon/inventory/reset)	Race Condition
XML/XSLT template processing	XSLT Injection
.git/.svn/.env paths are accessible	Insecure SCM
CSV/Excel export function	CSV Formula Injection
WebSocket protocol upgrade	WebSocket Security
Internal package names / supply chain inventory	Dependency Confusion

Step 3: 使用最可能命中的测试顺序

Step 3: Use the test order with the highest hit probability

Recon / Methodology
API Security / Auth / IDOR
XSS / SQLi / SSRF / SSTI / XXE
Business Logic / Race Condition
组合链与提权路径

Recon / Methodology
API Security / Auth / IDOR
XSS / SQLi / SSRF / SSTI / XXE
Business Logic / Race Condition
Combined chain and privilege escalation path

Core Skill Map

如果你拥有完整仓库，优先结合这些专题文档一起使用：

Recon and Methodology
XSS Cross Site Scripting
SQLi SQL Injection
SSRF Server Side Request Forgery
XXE XML External Entity
SSTI Server Side Template Injection
IDOR Broken Object Authorization
CMDi Command Injection
Path Traversal LFI
CSRF Cross Site Request Forgery
API Security Router
JWT OAuth Token Attacks
OAuth OIDC Misconfiguration
CORS Cross Origin Misconfiguration
SAML SSO Assertion Attacks
Authentication Bypass
Business Logic Vulnerabilities
Upload Insecure Files
NoSQL Injection
Request Smuggling
Prototype Pollution
Type Juggling (PHP)
HTTP Parameter Pollution
Race Condition
XSLT Injection
Insecure Source Code Management
CSV Formula Injection
WebSocket Security
Dependency Confusion

原先单独拆出的 payload-selection、brute-selection 一类小 skill 已并回对应主 skill，避免入口过多导致 loader 负担和选择噪音。

If you have the complete repository, prioritize using it together with these topic documents:

Recon and Methodology
XSS Cross Site Scripting
SQLi SQL Injection
SSRF Server Side Request Forgery
XXE XML External Entity
SSTI Server Side Template Injection
IDOR Broken Object Authorization
CMDi Command Injection
Path Traversal LFI
CSRF Cross Site Request Forgery
API Security Router
JWT OAuth Token Attacks
OAuth OIDC Misconfiguration
CORS Cross Origin Misconfiguration
SAML SSO Assertion Attacks
Authentication Bypass
Business Logic Vulnerabilities
Upload Insecure Files
NoSQL Injection
Request Smuggling
Prototype Pollution
Type Juggling (PHP)
HTTP Parameter Pollution
Race Condition
XSLT Injection
Insecure Source Code Management
CSV Formula Injection
WebSocket Security
Dependency Confusion

Previously separated small skills such as payload-selection and brute-selection have been merged back into the corresponding main skills to avoid excessive entry points causing loader burden and selection noise.

High-Value Expert Intuitions

这些点是很多基础模型容易忽略，但在真实漏洞赏金里经常有效：

同一套过滤逻辑往往复用在多个页面：一个点可绕过，类似页面通常也能绕过。
参数名本身也是攻击面：WAF 经常只盯参数值，不盯参数名。
二阶漏洞非常常见：存储时安全，不代表读取后进入危险上下文时也安全。
BOLA 的本质是“有认证、无授权”：A/B 账号切换重放非常关键。
老版本接口最容易漏补丁：v2 修了不代表 v1 下线了。
业务逻辑漏洞往往回报最高：它们难以被扫描器发现，也更容易长期存在。
Race Condition 应优先测试“一次性”操作：优惠券、领取、重置、邀请、试用、库存扣减。
JWT 攻击先看密钥与算法上下文：不要盲目试 payload，要先确认
```
alg
```
、
```
kid
```
、JWKS、密钥来源。

These points are easily overlooked by many basic models, but are often effective in real bug bounty scenarios:

The same set of filtering logic is often reused on multiple pages: If you can bypass it at one point, similar pages can usually be bypassed too.
Parameter names themselves are also attack surfaces: WAFs often only monitor parameter values, not parameter names.
Second-order vulnerabilities are very common: Being safe when stored does not mean it is safe when read and entered into a dangerous context.
The essence of BOLA is "authenticated but not authorized": Switching between A/B accounts and replaying requests is very critical.
Old version interfaces are most likely to miss patches: A fix in v2 does not mean v1 has been taken offline.
Business logic vulnerabilities often have the highest returns: They are difficult for scanners to detect and are more likely to exist for a long time.
Race Condition should prioritize testing "one-time" operations: Coupons, collection, reset, invitation, trial, inventory deduction.
For JWT attacks, first look at the key and algorithm context: Do not blindly test payloads, first confirm
```
alg
```
,
```
kid
```
, JWKS, and key source.

Suggested Prompts

可把本技能当作路由器来用，先让 Agent 明确阶段和目标：

“先按漏洞赏金方法论帮我做这个目标的测试路线规划。”
“这是一个 REST API，请优先从 BOLA、BFLA、Mass Assignment、JWT 角度审视。”
“这个参数会触发服务端请求，请按 SSRF 思路列出关键验证点。”
“这个功能是支付/优惠券/库存流程，请优先考虑业务逻辑和竞态。”
“我只看到登录和找回密码流程，请按 Auth Bypass + OAuth/JWT + CSRF 路线分析。”

You can use this skill as a router, first let the Agent clarify the phase and target:

"First help me make a test route plan for this target according to the bug bounty methodology."
"This is a REST API, please prioritize reviewing it from the perspectives of BOLA, BFLA, Mass Assignment, and JWT."
"This parameter will trigger a server-side request, please list the key verification points according to the SSRF idea."
"This function is a payment/coupon/inventory process, please prioritize business logic and race conditions."
"I only see the login and password recovery process, please analyze according to the Auth Bypass + OAuth/JWT + CSRF route."

Installation Notes

Guidelines

优先按目标类型与现象路由，而不是随机枚举 payload。
需要 payload 时，优先使用对应主 skill 里的 quick start / first-pass 样本，而不是再跳一个中间入口。
优先寻找可复用的过滤器、共享组件和跨页面复现路径。
先确认认证边界、授权边界、版本边界，再深入利用。
优先保留可解释、可审查、可复现的测试过程。
当完整仓库可用时，优先回到专题文档获取更细的攻击细节。

Prioritize routing according to target type and phenomenon, rather than randomly enumerating payloads.
When payloads are needed, prioritize using the quick start / first-pass samples in the corresponding main skill, instead of jumping to another intermediate entry.
Prioritize finding reusable filters, shared components, and cross-page reproduction paths.
First confirm the authentication boundary, authorization boundary, and version boundary before in-depth exploitation.
Prioritize retaining interpretable, auditable, and reproducible test processes.
When the complete repository is available, prioritize returning to the topic documents for more detailed attack details.