hack

Original🇨🇳 Chinese
Translated

Entry P0 primary router for HackSkills. Use when the task involves web application testing, API security assessment, recon, vulnerability triage, exploit path planning, or choosing the right next category skill before any deep topic skill.

2installs
Sourceyaklang/hack-skills
Added on

NPX Install

npx skill4agent add yaklang/hack-skills hack

Tags

Translated version includes tags in frontmatter
web-securityapi-securitybug-bountypenetration-testingvulnerability-assessment

SKILL.md Content (Chinese)

View Translation Comparison →

HACKING SKILLS / HackSkills

Overview

This is a general entry skill for bug bounty, Web security, API security, authorized penetration testing.
Its core role is not to replace all topic-specific skills, but to help the Agent:
  1. First determine the testing phase (Recon / Verification / Privilege Escalation / Combined Chain)
  2. Then select the correct vulnerability category
  3. Avoid relying only on basic training data, prioritize using structured methodologies
  4. Prioritize focusing on boundary conditions that AI easily ignores but are very important in actual combat

Trust Model

  • This knowledge base emphasizes content security and auditability.
  • Use should be limited to the scope of authorized targets, legal research, defense verification, and allowed by bug bounty rules.
  • Do not use the techniques here for unauthorized attacks.

When to Use This Skill

Prioritize using this skill in the following scenarios:
  • You just took over a new bug bounty target and don't know what to test first
  • You need to decide which type of idea to load such as XSS / SQLi / SSRF / IDOR / JWT / API
  • You want the Agent to perform Web/API security testing according to a more stable methodology
  • You need to route scattered phenomena to the appropriate attack surface
  • You hope AI will miss fewer key test points in the security field

Operating Model

Step 1: Perform Recon and context confirmation first

Prioritize collecting:
  • Target type: traditional Web, REST API, mobile backend, admin backend, payment process, file upload, GraphQL
  • Identity and permission model: anonymous, regular user, administrator, multi-tenant
  • Input locations: URL, query parameters, JSON, Header, Cookie, file name, imported files, templates, echo points
  • Output locations: HTML, attributes, JS, PDF, email, logs, background tasks, mobile interfaces

Step 2: Route according to observed phenomena

PhenomenonPriority Direction
Input reflected to HTML / JSXSS / SSTI
The server actively accesses URL / hostnameSSRF
Receives XML / Office / SVGXXE
Path, file name, download interface are controllablePath Traversal / LFI
A large number of object IDs in APIIDOR / BOLA / BFLA
Login, password recovery, 2FA, SessionAuth Bypass / JWT / OAuth
Multi-step transactions, coupons, prices, inventoryBusiness Logic
MongoDB / JSON query syntax exposedNoSQL Injection
Command line tools, image processing, importersCommand Injection
HTTP request parsing anomaly / inconsistent frame splitting between front and back endsRequest Smuggling
Node.js JSON processing / 
__proto__
controllable		Prototype Pollution
PHP weak comparison / 0e hash / loose conditionsType Juggling
Duplicate parameters with the same name / inconsistent parsing between WAF and applicationHTTP Parameter Pollution
One-time operations (coupon/inventory/reset)Race Condition
XML/XSLT template processingXSLT Injection
.git/.svn/.env paths are accessibleInsecure SCM
CSV/Excel export functionCSV Formula Injection
WebSocket protocol upgradeWebSocket Security
Internal package names / supply chain inventoryDependency Confusion

Step 3: Use the test order with the highest hit probability

  1. Recon / Methodology
  2. API Security / Auth / IDOR
  3. XSS / SQLi / SSRF / SSTI / XXE
  4. Business Logic / Race Condition
  5. Combined chain and privilege escalation path

Core Skill Map

If you have the complete repository, prioritize using it together with these topic documents:
  • Recon and Methodology
  • XSS Cross Site Scripting
  • SQLi SQL Injection
  • SSRF Server Side Request Forgery
  • XXE XML External Entity
  • SSTI Server Side Template Injection
  • IDOR Broken Object Authorization
  • CMDi Command Injection
  • Path Traversal LFI
  • CSRF Cross Site Request Forgery
  • API Security Router
  • JWT OAuth Token Attacks
  • OAuth OIDC Misconfiguration
  • CORS Cross Origin Misconfiguration
  • SAML SSO Assertion Attacks
  • Authentication Bypass
  • Business Logic Vulnerabilities
  • Upload Insecure Files
  • NoSQL Injection
  • Request Smuggling
  • Prototype Pollution
  • Type Juggling (PHP)
  • HTTP Parameter Pollution
  • Race Condition
  • XSLT Injection
  • Insecure Source Code Management
  • CSV Formula Injection
  • WebSocket Security
  • Dependency Confusion
Previously separated small skills such as payload-selection and brute-selection have been merged back into the corresponding main skills to avoid excessive entry points causing loader burden and selection noise.

High-Value Expert Intuitions

These points are easily overlooked by many basic models, but are often effective in real bug bounty scenarios:
  1. The same set of filtering logic is often reused on multiple pages: If you can bypass it at one point, similar pages can usually be bypassed too.
  2. Parameter names themselves are also attack surfaces: WAFs often only monitor parameter values, not parameter names.
  3. Second-order vulnerabilities are very common: Being safe when stored does not mean it is safe when read and entered into a dangerous context.
  4. The essence of BOLA is "authenticated but not authorized": Switching between A/B accounts and replaying requests is very critical.
  5. Old version interfaces are most likely to miss patches: A fix in v2 does not mean v1 has been taken offline.
  6. Business logic vulnerabilities often have the highest returns: They are difficult for scanners to detect and are more likely to exist for a long time.
  7. Race Condition should prioritize testing "one-time" operations: Coupons, collection, reset, invitation, trial, inventory deduction.
  8. For JWT attacks, first look at the key and algorithm context: Do not blindly test payloads, first confirm 
    alg
    , 
    kid
    , JWKS, and key source.

Suggested Prompts

You can use this skill as a router, first let the Agent clarify the phase and target:
  • "First help me make a test route plan for this target according to the bug bounty methodology."
  • "This is a REST API, please prioritize reviewing it from the perspectives of BOLA, BFLA, Mass Assignment, and JWT."
  • "This parameter will trigger a server-side request, please list the key verification points according to the SSRF idea."
  • "This function is a payment/coupon/inventory process, please prioritize business logic and race conditions."
  • "I only see the login and password recovery process, please analyze according to the Auth Bypass + OAuth/JWT + CSRF route."

Installation Notes

Recommended skill name:
  • hack
Recommended search keywords:
  • HackSkills
  • HACKING SKILLS
  • bug bounty
  • bug bounty hunter

Guidelines

  • Prioritize routing according to target type and phenomenon, rather than randomly enumerating payloads.
  • When payloads are needed, prioritize using the quick start / first-pass samples in the corresponding main skill, instead of jumping to another intermediate entry.
  • Prioritize finding reusable filters, shared components, and cross-page reproduction paths.
  • First confirm the authentication boundary, authorization boundary, and version boundary before in-depth exploitation.
  • Prioritize retaining interpretable, auditable, and reproducible test processes.
  • When the complete repository is available, prioritize returning to the topic documents for more detailed attack details.