MCPcopy Index your code
hub / github.com/elementalsouls/Claude-BugHunter

github.com/elementalsouls/Claude-BugHunter @v2.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.1 ↗ · + Follow
146 symbols 357 edges 13 files 48 documented · 33%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

claude-bughunter banner

claude-bughunter

A self-contained Claude skill bundle for bug hunting and external red-team work · 71 skills · 15 slash commands · 681 disclosed-report patterns across 24 core vulnerability classes · enterprise identity + infrastructure attack matrices · engagement-folder scaffolding · Burp MCP integration · battle-tested across authorized red-team and bug-hunting engagements, plus public training platforms (DVWA, OWASP Juice Shop, Hacker101, testphp.vulnweb.com).

Built by Sachin Sharma — Bug Hunting & GenAI Security Research.

SPONSORED BY

  <img alt="Atlas Cloud" src="https://github.com/elementalsouls/Claude-BugHunter/raw/v2.1/assets/sponsors/atlas-cloud-light.svg" height="36">


What is this?

claude-bughunter is a drop-in skill bundle for the Claude Code skills system. Install once and Claude Code stops being a chatbot and starts behaving like a senior bug-hunting researcher or red-team operator: it knows the techniques, the chain templates, the VRT mappings, the platform CVE chains, and the hygiene — and it stays in scope.

Four layers stack:

  • bug-bounty + bb-methodology + redteam-mindsethow to think. 5-phase non-linear hunting workflow, critical-thinking framework, developer-psychology heuristics, anomaly detection patterns, and the red-team operator-discipline corrections (when scope is "external red team" not "bug hunting / WAPT").
  • 48 hunt-* skills + security-arsenalwhat to look for in webapps. Per-class detection patterns, payloads, bypass tables, and chain templates — the original 24 per-class skills curated from 681 disclosed HackerOne reports, plus 20+ framework/surface skills (Next.js, Spring Boot, Laravel, Kubernetes, CI/CD, gRPC, WebSocket, deserialization, …) from the community v3 expansion.
  • Enterprise platform attack chainswhat to look for on the perimeter. m365-entra-attack, okta-attack, cloud-iam-deep, vmware-vcenter-attack, enterprise-vpn-attack, hunt-sharepoint, hunt-aspnet, hunt-ntlm-info, apk-redteam-pipeline, supply-chain-attack-recon — current 2024-2026 CVE chains, AADSTS error references, version-fingerprint matrices, and post-credential escalation paths.
  • triage-validation + bugcrowd-reporting + evidence-hygiene + redteam-report-template + mid-engagement-ir-detectionhow to ship it. 7-Question Gate, VRT category fallback, severity-request paragraphs, OOS rebuttals, cookie/PII redaction, client-facing red-team deliverable format, and SOC-patch / mid-engagement-attacker detection methodology.

All triggered automatically by topic — describe what you're testing in plain English and the relevant skill loads. No invocation by name.

71 skills · 15 commands · 681 disclosed reports curated · 6-phase workflow · exercised against public training platforms (DVWA, OWASP Juice Shop, Hacker101, testphp.vulnweb.com) and calibrated through authorized real-world engagements.


Quickstart

git clone https://github.com/elementalsouls/Claude-BugHunter.git
cd Claude-BugHunter
bash scripts/install.sh        # copies skills + commands into ~/.claude/

That's it. Open Claude Code and describe what you're testing in plain English — the right skill loads automatically, no invocation by name:

> Testing acme.com — an in-scope HackerOne target. Run recon and rank the surface.

  ⟳ loading skills: web2-recon, offensive-osint, bb-methodology …
  → subdomain enum (subfinder + crt.sh) … 47 hosts
  → live hosts (httpx) … 12 · tech fingerprint … 6 distinct stacks
  → ranked surface: api.acme.com (GraphQL, introspection ON)  ← start here
                    auth.acme.com (OAuth, SSO)               ← hunt-oauth
  Next: want me to probe the GraphQL introspection + OAuth redirect_uri?

→ Full Installation guide · Usage guide · searchable skill catalog.

The block above is an illustrative transcript. To record a real demo of your own session: asciinema rec demo.cast → upload to asciinema.org and drop the badge here.


Scope — what this bundle is for, and what it isn't

This bundle covers the external attack surface — anything reachable from the internet without first compromising an internal endpoint.

In scope

  • Bug bounty hunting — web apps, APIs, SaaS, GraphQL, OAuth, JWT, file upload, IDOR, SSRF, RCE chains
  • Web application pentesting — full hunt-* coverage of OWASP-mapped bug classes + discipline rules
  • External red-team engagements — initial-access against internet-facing enterprise estate: M365 / Entra ID, Okta-as-IdP, SharePoint on-prem (ToolShell + legacy SOAP), VMware vCenter / Workspace ONE, SSL VPN appliances (Cisco / Fortinet / Citrix / Palo Alto / Pulse / SonicWall / F5), Android APK red-team, supply-chain recon
  • Cloud misconfig + post-credential escalation — public S3, IMDS chains, STS AssumeRole, cross-account confused-deputy
  • Recon + OSINT — subdomain enum, identity-fabric mapping, certificate transparency, JS analysis, secret scanning
  • Reporting — H1, Bugcrowd (VRT-aware), Intigriti, Immunefi, plus client-facing red-team deliverable format

Out of scope (deliberate — not gaps, design decisions)

  • Internal Active Directory attacks — BloodHound, Kerberoasting, ASREProast, DCSync, Pass-the-Hash, AD CS abuse, ntlmrelayx, Responder, PetitPotam, etc. Different operational risk profile; needs different tooling and judgment. Future bundle, not this one.
  • C2 frameworks — Cobalt Strike, Sliver, Mythic, Havoc, BRC4 tradecraft. Out of scope for external-only engagement model.
  • Post-exploit / persistence / lateral — Mimikatz/comsvcs LSASS dumping, golden/silver tickets, named-pipe impersonation, persistence (registry, scheduled tasks, WMI events, COM hijacking), token theft. These start after the perimeter has already broken — different bundle territory.
  • Evasion — AMSI bypass, ETW patching, AV/EDR bypass. Tied to C2 tradecraft above.
  • iOS pentesting / hardware / RF / ICS — out of scope by design.
  • Binary exploitation / kernel pwn / browser internals — different skill universe.

If you're running an internal red team that includes domain-takeover chains via Kerberos or lateral movement, this bundle won't help you in those phases — and we'd rather say that up front than have you find out mid-engagement. The external surface handoff to internal-RT tooling (Impacket, NetExec, CrackMapExec, Rubeus, Certify, BloodHound) is intentionally outside our scope. Coverage for internal AD and post-exploit may come in a future update.


Capability Map

The 71 skills group into 7 capability domains. Each box below is a real skill on disk. Skills auto-load when their description keywords match what you're describing to Claude.

graph TB
    classDef recon fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705
    classDef hunt fill:#FFB591,stroke:#DA7756,stroke-width:2px,color:#080705
    classDef platform fill:#FF8B14,stroke:#DA7756,stroke-width:2px,color:#fff
    classDef redteam fill:#DA7756,stroke:#23201C,stroke-width:2px,color:#fff
    classDef workflow fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705
    classDef report fill:#FFB591,stroke:#DA7756,stroke-width:2px,color:#080705
    classDef cli fill:#23201C,stroke:#DA7756,stroke-width:2px,color:#FFE4D1

    subgraph SCOPE [" "]
        direction LR
        S1["Engagement scaffold

hunt &lt;target&gt;

bug-bounty · bb-methodology"]:::workflow
    end

    subgraph RECON ["Recon & Intelligence (3)"]
        direction TB
        R1["offensive-osint

15-ref probe arsenal"]:::recon
        R2["web2-recon

subdomain + endpoint enum"]:::recon
        R3["osint-methodology

5-stage pipeline"]:::recon
    end

    subgraph HUNT ["Hunt — Web App (48 hunt-* skills)"]
        direction TB
        H1["Injection

hunt-sqli · hunt-xss · hunt-ssti · hunt-rce"]:::hunt
        H2["Authorization

hunt-idor · hunt-auth-bypass · hunt-csrf"]:::hunt
        H3["Server-Side

hunt-ssrf · hunt-xxe · hunt-http-smuggling · hunt-cache-poison"]:::hunt
        H4["Identity

hunt-jwt · hunt-saml · hunt-oauth · hunt-mfa-bypass · hunt-ato"]:::hunt
        H5["API & Modern

hunt-graphql · hunt-api-misconfig · hunt-file-upload"]:::hunt
        H6["Business & Race

hunt-business-logic · hunt-race-conditions · hunt-llm-ai · hunt-pii-leak"]:::hunt
    end

    subgraph PLATFORM ["Enterprise Platform Attack (7)"]
        direction TB
        P1["Identity Fabric

m365-entra-attack · okta-attack"]:::platform
        P2["Cloud & Virt

cloud-iam-deep · vmware-vcenter-attack"]:::platform
        P3["Perimeter Appliances

enterprise-vpn-attack"]:::platform
        P4["SharePoint Ecosystem

hunt-sharepoint · hunt-aspnet · hunt-ntlm-info"]:::platform
        P5["Mobile & Supply Chain

apk-redteam-pipeline · supply-chain-attack-recon"]:::platform
    end

    subgraph REDTEAM ["Red Team Tradecraft (2)"]
        direction TB
        RT1["redteam-mindset

DO NOT STOP directive

operator discipline"]:::redteam
        RT2["mid-engagement-ir-detection

SOC-patch & attacker-activity

baseline-shift detection"]:::redteam
    end

    subgraph WORKFLOW ["Validation & Discipline"]
        direction TB
        V1["triage-validation

7-Question Gate

PASS / DOWNGRADE / KILL / CHAIN"]:::workflow
    end

    subgraph REPORT ["Capture & Report (3)"]
        direction TB
        E1["evidence-hygiene

cookie redaction · PII black-bar"]:::report
        E2["report-writing

H1 · Intigriti · Immunefi templates"]:::report
        E3["bugcrowd-reporting · redteam-report-template

VRT mapping · DOCX deliverable"]:::report
    end

    subgraph CLI ["Slash Commands & CLI (15 + 1)"]
        direction LR
        C1["Slash: /recon /hunt /triage /report /validate /chain /autopilot /scope /surface /pickup /intel /remember /memory-gc /token-scan /web3-audit"]:::cli
        C2["cbh CLI: recon · classify · triage · report"]:::cli
    end

    SCOPE --> RECON
    RECON --> HUNT
    RECON --> PLATFORM
    HUNT --> WORKFLOW
    PLATFORM --> WORKFLOW
    REDTEAM -.applies throughout.-> HUNT
    REDTEAM -.applies throughout.-> PLATFORM
    WORKFLOW --> REPORT
    CLI -.routes into.-> RECON
    CLI -.routes into.-> HUNT
    CLI -.routes into.-> WORKFLOW
    CLI -.routes into.-> REPORT

Engagement Flow

Every engagement follows the same 6-phase loop. Skills auto-load at each phase. The Validate gate has 4 possible outcomes — only PASS or DOWNGRADE continue forward to a report; KILL and CHAIN REQUIRED return you to Hunt with a verdict that prevents wasted reporting effort.

flowchart TD
    classDef phase fill:#FFB591,stroke:#DA7756,stroke-width:3px,color:#080705
    classDef gate fill:#FF8B14,stroke:#23201C,stroke-width:2px,color:#fff
    classDef decision fill:#FFE4D1,stroke:#DA7756,stroke-width:2px,color:#080705
    classDef terminal fill:#23201C,stroke:#DA7756,stroke-width:2px,color:#FFE4D1
    classDef discipline fill:#DA7756,stroke:#23201C,stroke-width:2px,color:#fff

    Start(["🎯 Engagement starts"]):::terminal --> Mode

    Mode{"Engagement mode?

<i>bb-methodology Part 0</i>"}:::decision
    Mode -->|"Bug Bounty"| Scope
    Mode -->|"Red Team"| RTSetup
    Mode -->|"Pentest"| Scope

    RTSetup["Load red-team layer

<b>redteam-mindset</b>

DO NOT STOP directive

<b>mid-engagement-ir-detection</b>"]:::discipline
    RTSetup --> Scope

    Scope["<b>1. SCOPE</b>

hunt &lt;target&gt; → scaffold folder

Parse program rules

Fill scope.md

<i>skills: bug-bounty, bb-methodology</i>"]:::phase
    Scope --> Recon

    Recon["<b>2. RECON</b>

Subdomain enum · endpoint mapping

JS bundle harvest · identity fabric

<i>skills: offensive-osint, web2-recon</i>

commands: /recon · cbh recon &lt;target&gt;"]:::phase
    Recon --> Hunt

    Hunt["<b>3. HUNT</b>

Test bug-class hypotheses

Apply payloads from Pattern Libraries

<i>48 hunt-* skills auto-load by keyword</i>

commands: /hunt · /chain"]:::phase
    Hunt --> Found{"Lead

found?"}:::decision
    Found -->|"no"| Hunt
    Found -->|"yes"| Validate

    Validate["<b>4. VALIDATE</b>

Run the 7-Question Gate

Q1: real HTTP request?

Q2: accepted-impact list?

Q3: in scope?

Q4: no admin-only assumption?

Q5: not already known?

Q6: concrete impact, not 'technically possible'?

Q7: not on never-submit list?

<i>skill: triage-validation</i>

command: /triage"]:::phase
    Validate --> Verdict{"Gate verdict"}:::gate

    Verdict -->|"PASS

(all 7 ✓)"| Capture
    Verdict -->|"DOWNGRADE

(Q2 or Q5 fail)"| Capture
    Verdict -->|"CHAIN REQUIRED

(needs another primitive)"| Hunt
    Verdict -->|"KILL

(any other failure)"| Hunt

    Capture["<b>5. CAPTURE</b>

Cookie redaction · PII black-bar

HAR sanitization · screenshot order

<i>skill: evidence-hygiene</i>"]:::phase
    Capture --> Report

    Report["<b>6. REPORT</b>

Draft per platform template

H1 / Bugcrowd VRT / Intigriti / Immunefi

or client-facing DOCX (red-team)

<i>skills: report-writing, bugcrowd-reporting,

redteam-report-template</i>

command: /report"]:::phase
    Report --> Submit(["📨 Submit"]):::terminal

    Submit --> Track["Append UUID to submissions.txt

Cross-reference future chains

command: /remember"]
    Track --> Hunt

Key properties of this flow:

  • Validate gate is non-optional. Even if you're confident a finding is real, route it through /triage

Core symbols most depended-on inside this repo

say
called by 110
scripts/cbh.py
color
called by 41
scripts/cbh.py
db
called by 9
docs/verification/hardened-lab/app.py
db
called by 8
docs/verification/phase2e-lab/app.py
section
called by 5
scripts/cbh.py
current_user
called by 4
docs/verification/phase2e-lab/app.py
section
called by 4
docs/verification/phase3-playwright/harness.py
detect_burp
called by 2
scripts/cbh.py

Shape

Function 103
Route 43

Languages

Python100%

Modules by API surface

scripts/cbh.py24 symbols
docs/verification/phase2e-lab/app.py22 symbols
docs/verification/hardened-lab/app.py21 symbols
docs/verification/phase2i-lab/app.py17 symbols
docs/verification/phase2f-lab/app.py13 symbols
docs/verification/phase2g-lab/app.py11 symbols
docs/verification/phase3-playwright/target_app.py10 symbols
docs/verification/phase2h-lab/origin/app.py8 symbols
scripts/lint_skills.py5 symbols
docs/verification/phase3-playwright/harness.py5 symbols
scripts/refresh-cve-index.py4 symbols
skills/offensive-osint/scripts/secret_scan.py3 symbols

For agents

$ claude mcp add Claude-BugHunter \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact