Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
Instalação
Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.
Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
Bug Bounty Methodology: Workflow + Mindset
Master orchestrator for hunting sessions. Combines the 5-phase non-linear workflow with the critical thinking framework that separates top 1% hunters from the rest.
PART 1: MINDSET (How to Think)
Core Principle
Hunting is not "find a bug" -- it is "prove an attack scenario." Think like an attacker with a specific goal, not a scanner looking for patterns.
Daily Discipline: Define, Select, Execute
Before touching any tool:
Define: "Today I target [feature/domain] to achieve [CIA impact]"
Replace guid=f8a2... with id=100 on sibling endpoint -> IDOR?
2. Multi-Perspective (multiple angles)
Perspective
What to check
Horizontal (same role)
User A's token + User B's ID -> IDOR
Vertical (different role)
Regular user -> /admin/deleteUser
Data flow (proxy view)
Hidden params in JSON: debug=false, discount_rate
Time/State
Race conditions, post-delete session reuse
Client environment
Mobile UA -> legacy API with weaker auth
Business impact
"What's the $ damage if this breaks?"
3. Tactical Thinking (pattern detection)
Naming anomaly: userId everywhere but suddenly user_id -> different dev, weaker security
Error diff: Same 403 but different JSON structure -> different backend systems
200 but wrong body length/content: 200 OK with tiny response or "just a moment" text → WAF soft block, not a real response. Run bypass_403.sh to confirm and get baseline diff.
Environment diff: Prod vs Dev/Staging -> debug headers, CSP disabled
Version diff: JS file before/after update -> new endpoints, removed params
Supply chain: Check framework/library versions for known CVEs
5. AI-Assisted Thinking (model as a second analyst)
Use AI to expand hypotheses, not to declare verdicts. The model is a fast adversarial planner; the browser, proxy, and live requests are the proof layer.
Decompose the feature: ask for actors, assets, entry points, state transitions, and trust boundaries.
Generate sibling paths: versioned endpoints, mobile routes, legacy APIs, alternate roles, and admin-only variants.
Build a role matrix: anonymous, user A, user B, stale session, fresh session, admin, service account.
Ask for dev shortcuts: "Where would a tired developer skip a check or reuse a helper?"
Ask for chains: "If this bug is real, what bug B and C sit next to it?"
Turn ideas into requests: every AI suggestion must become a single reproducible HTTP experiment.
Kill weak signals fast: if AI cannot point to a concrete request, response diff, or cross-account delta, the idea stays as a hypothesis.
High-signal prompts:
"Given this endpoint and feature, list the 10 most likely trust-boundary mistakes."
"What sibling endpoints, methods, or roles should I test next?"
"Which bug class would a rushed implementation likely miss here?"
"What does the smallest proof request look like?"
"What would make this become a real report instead of a scanner hit?"
Amateur vs Pro: 7-Phase Comparison
Phase
Amateur
Pro
Recon
Main domain only
Shadow IT, dev environments, all assets
Discovery
Look for errors
Look for design contradictions, business logic flaws
Exploit
Give up when blocked
Build filter-bypass payloads
Escalation
Report the phenomenon only
Chain to real harm (session steal, ATO)
Feasibility
Include unrealistic conditions
Minimize attack prerequisites
Reporting
State facts only
Quantify business risk
Retest
Check if old PoC fails
Analyze fix method, find incomplete patches
Two Approach Routes
Route A (Feature-based): "This feature is complex" -> deep-dive its input handling -> find vuln
Route B (Vuln-based): "I want IDOR" -> find endpoints with sequential IDs -> test access control
Anti-Patterns (Stop Doing These)
Program hopping: Stick with one target minimum 2 weeks / 30 hours
Identity: Anonymous or authenticated? If the bugs you're hunting need a
session (IDOR, BOLA, privilege escalation, auth bypass, mass-assignment),
load auth once at session start — see docs/auth-sessions.md. Then
every downstream tool (httpx, katana, ffuf, nuclei, dalfox, PoC verifiers)
sends those headers automatically and audit log entries are stamped with
a stable session_id hash.
Route selection -- Wide or Deep?
Signal
Wide (recon sweep)
Deep (focused testing)
New program, first day
X
Wildcard scope *.target.com
X
Main webapp, been here >3 days
X
Scope update (new domain added)
X
Found interesting subdomain
X
Hunting IDOR / BOLA / auth bugs
X (auth-aware)
Phase 1: RECON
Goal: Maximize attack surface. Find what others missed.
Wide approach (initial sweep):
Subdomain enum -> DNS resolution -> HTTP probing -> Port scan -> Tech detect
Deep approach (targeted):
Google Dorks -> JS file download -> Hidden param discovery -> API mapping
What you find
Next action
Live subdomains with tech stack
Phase 2 (Mapping)
Known software (WordPress, Jira)
Check CVEs + defaults immediately
Cloud resources (S3, Firebase)
Test permissions (read/write/list)
403 or 200 + block page on endpoint
tools/bypass_403.sh <url> auto-detects soft blocks (200+block-body). Verdict: bypassed/needs_review/blocked. If all blocked after 5 min, skip
Nothing after 5 min on a host
Skip, try next host (5-minute rule)
Command: /recon target.com
Phase 2: MAPPING & ANALYSIS
Goal: Understand the app like its developer does.
Checklist:
Map all endpoints (Burp/Caido sitemap + JS analysis)
Identify auth model (cookie, JWT, OAuth, SAML?)
Find business-critical flows (payment, registration, password reset, data export)
Download and analyze JS files for hidden routes, secrets, logic
Identify roles and permissions (user, admin, API keys)
Note "weird" behaviors (anomalies in naming, errors, timing)
What you find
Next action
JS files with interesting code
Taint analysis (Sink -> Source)
OAuth/SAML authentication
OAuth/SAML checklist
API with ID parameters
Phase 3, target IDOR
Complex business logic (payment, coupon)
Phase 3, target BizLogic
postMessage listeners
DOM analysis, postMessage-tracker
Phase 3: VULNERABILITY DISCOVERY
Goal: Find the bug. Use Error-based first, then Blind-based.
Decision flow based on what you're testing:
What input are you testing?
+-- ID parameter (user_id, order_id)
| -> IDOR checklist
+-- Search/filter/sort field
| -> SQLi, NoSQLi probing
+-- URL input / webhook / PDF gen
| -> SSRF checklist
+-- Text field reflected in page
| -> XSS (DOM or reflected)
+-- File upload
| -> SVG XSS, web shell, path traversal
+-- Price/quantity/coupon
| -> Business logic, race conditions
+-- Login / 2FA / password reset
| -> Auth bypass
+-- Profile update API
| -> Mass Assignment
+-- Template / wiki editor
| -> SSTI
+-- Nothing obvious
-> Fuzz with ffuf, try Error-based probing
Error vs Blind decision:
Try Error-based first (send ', ", {{7*7}}, ${7*7}) -- watch for 500 errors, stack traces
No error? Time-based (SLEEP(10), ; sleep 10;) -- watch response time
No time diff? OOB (curl attacker.com, interactsh) -- watch for DNS callback
Still nothing? Boolean (AND 1=1 vs AND 1=0) -- watch content-length diff
/bypass-403 <url> → check verdict (not just status) → tools/waf_encoder.py "<payload>" → if upload: tools/multipart_mutator.py → 5 min, kill
Known software vuln (CVE)
1-day speed workflow
Nothing after 20 min on this endpoint
Rotate (20-minute rule)
Phase 4: PROVE & ESCALATE
Goal: Prove maximum business impact. Turn Low into Critical.
Escalation decision:
What did you find?
+-- XSS
| +-- Can steal cookie/token? -> Session hijack -> ATO
| +-- Cookie is HttpOnly? -> Force email change via XHR -> ATO
| +-- Self-XSS only? -> Find CSRF to trigger it
+-- IDOR
| +-- Can read PII? -> Automate scraping, show scale
| +-- Can change password/email? -> Direct ATO
| +-- UUID only? -> Find UUID leak source, then retry
+-- SSRF
| +-- DNS only? -> DON'T REPORT. Try cloud metadata
| +-- Can reach 169.254.169.254? -> Extract keys -> RCE
| +-- Internal port scan? -> Find Redis/K8s -> RCE
+-- SQLi
| +-- Error-based? -> Extract data (passwords, tokens)
| +-- Can INTO OUTFILE? -> Web shell -> RCE
| +-- Blind? -> Boolean/Time extraction
+-- Open Redirect
| +-- OAuth flow? -> Token theft -> ATO
| +-- javascript: scheme? -> XSS
+-- Blocked by defense
| -> Bypass (WAF/CSP/proxy/sanitizer/2FA)
+-- Low-impact, can't escalate alone
-> Find connector gadget for chain
After proving impact, check:
Can attack work with 0-1 clicks? (minimize prerequisites)
Does it affect all users or specific role?
What's the business $ impact?
Phase 5: VALIDATE & REPORT
Goal: Get paid. Make triager's job easy.
Pre-report gate:
Run /validate (7-Question Gate)
+-- All 7 pass? -> Write report
+-- Any fail? -> KILL the finding. Don't waste time.
+-- Borderline? -> Run /triage for quick go/no-go
Report:
Run /report
+-- Platform-specific format (H1/Bugcrowd/Intigriti/Immunefi)
+-- Title: [Bug Class] in [Endpoint] allows [role] to [impact]
+-- Impact-first summary (sentence 1 = what attacker CAN do)
+-- Exact HTTP requests in Steps to Reproduce
+-- Under 600 words
+-- CVSS 3.1 score that MATCHES actual impact
After submission:
While waiting for triage: try to escalate further (A->B signal method)
If fix deployed: re-test for bypass (incomplete patch = new bug)
Record finding with /remember for hunt memory
PART 3: NAVIGATION & TIMING
Non-Linear Navigation Quick Reference
I'm stuck because...
Go to...
Can't find any subdomains
Phase 1: Try different recon sources, Google Dorks
Found subdomain but don't know what to test
Phase 2: Map the app, download JS, understand auth
Testing but nothing works
Phase 3: Switch vuln class (20-min rotation rule)
Found a bug but impact is low
Phase 4: Escalation paths or gadget chaining
WAF/CSP/403 blocking my payload
/bypass-403 → fingerprint WAF → waf_encoder.py variants → kill if 5 min spent (403 even after /bypass-403 + WAF fingerprint + waf_encoder.py variants)
Been stuck for 45 min on one param
STOP. Rabbit hole. Move to next endpoint.
New API endpoint discovered during testing
Return to Phase 2: map it before attacking
Found one bug
A->B signal: same dev made more mistakes. Hunt 20 min for siblings.
20-Minute Rotation Clock
Every 20 minutes ask yourself: "Am I making progress?"
Yes -> Continue
No -> Rotate to next: endpoint -> subdomain -> vuln class -> target
Been on same target 2+ weeks with no findings? -> Consider switching program
Tool Routing by Phase
Phase
Tools
Why this order
Recon: Subdomains
subfinder -> amass -> puredns -> httpx
Passive first (no detection) -> resolve DNS -> probe HTTP + tech stack
Recon: URLs
gau + waymore -> katana -> uro
Archive (forgotten endpoints) -> active crawl (JS-rendered) -> deduplicate
Recon: JS
jsluice + mantra + trufflehog --only-verified
Extract URLs/secrets -> find API keys -> verify keys actually work
Recon: Ports
naabu (wide) -> rustscan (deep)
Fast top-1000 sweep -> full 65535 on interesting targets
Recon: Scan
nuclei -tags cve -> nuclei -tags takeover
Known CVEs first -> then takeover (act immediately)