Skill

zerodayhunt

Hunts zero-days, backdoors, RCE, SSRF chains, JWT vulns, supply chain attacks, cloud misconfigs, CI/CD flaws, and business logic issues missed by scanners.

Bash

security

npx claudepluginhub kalpmodi/akira

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Automated tools find known CVEs. This skill finds what scanners miss:

Supporting Assets

SKILL.md

Similar Skills

exploit

Executes exploitation tests for web/API vulnerabilities like SQLi, XSS, SSRF, JWT confusion, deserialization, prototype pollution during pentest phase 3.

20 files

akira

red-team-tools

36.4k

Automates red team recon workflows: subdomain enum with Amass/Subfinder, live hosts via httpx/httprobe, tech fingerprinting with WhatWeb/Nuclei. For authorized pentests.

antigravity-awesome-skills

wooyun-legacy

220

Provides web vulnerability testing methodology from 88,636 WooYun cases for penetration testing, security audits, code reviews, and research. Covers SQLi, XSS, RCE, file upload, path traversal, unauthorized access.

20 files4 tools

wooyun-legacy

Stats

Stars12

Forks4

Last CommitApr 25, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Zero-Day & Critical Vulnerability Hunt

Philosophy

Automated tools find known CVEs. This skill finds what scanners miss: logic flaws, architecture leaks, supply chain vectors, auth bypasses, and chained attacks. Evidence required before claiming ANY finding. Never hallucinate - if you didn't see it in a response body, it didn't happen.

The rule that separates elite from script kiddie: A single finding is rarely Critical. The payout comes from CHAINING. SSRF + AWS metadata = IAM creds = cloud takeover. Info disclosure + IDOR = mass PII = Critical. Always ask: "What can I do WITH this?"

Critical rule: NEVER stop at "SSRF/network reachability possible" or "endpoint exists". Must prove full chain: credentials extracted, PII accessed, or data exfiltrated. A 200 with empty body = WAF catch-all, not a real finding.

ARGUMENTS

<target> - domain (e.g. target.com) <focus> - optional: RCE / SSRF / IDOR / SUPPLY-CHAIN / JWT / BUSINESS-LOGIC / CHAIN / ALL

Phase 0: Smart Intake

source ~/.claude/skills/_shared/phase0.sh
source ~/.claude/skills/_shared/signals.sh
p0_init_vars "$1"
p0_state_gate "HARVEST" || exit 0
p0_read_relay recon secrets exploit
p0_read_memory
p0_read_hypotheses

# Aliases for downstream phase references
TECH_STACK=$KNOWN_TECH
ALL_ENDPOINTS="$INTERESTING_ENDPOINTS $WAYBACK_ENDPOINTS $API_SPEC_ENDPOINTS"
ATW_FLAGGED=$(echo "$ATW_FLAGGED" 2>/dev/null)

echo "=== ZERODAYHUNT SMART INTAKE: $TARGET ==="
echo "State: $STATE | WAF: $WAF | Tech: $TECH_STACK"
echo "Top hypothesis: $TOP_HYPO_LABEL [$TOP_HYPO_PROB%]"
echo "SSRF vectors from exploit: $(echo "$SSRF_VECTORS" | wc -l)"
echo "Internal IPs available: $(echo "$INTERNAL_IPS" | wc -w)"
echo "JWT tokens: $(echo "$JWT_TOKENS" | wc -l)"
echo "Prior confirmed findings: $(echo "$CONFIRMED_VULNS" | wc -l)"
echo "ATW flagged (skip): $ATW_FLAGGED"
echo ""
echo "Phase selection - run phases where we have targets:"
[ -n "$SSRF_VECTORS" ] && echo "  Phase 8 (SSRF): YES - $(echo "$SSRF_VECTORS" | wc -l) vectors to chain"
[ -n "$JWT_TOKENS" ] && echo "  Phase 7 (JWT): YES - tokens found"
[ -n "$INTERNAL_IPS" ] && echo "  Phase 8 (SSRF pivot): YES - internal IPs to target"
[ -n "$CONFIRMED_VULNS" ] && echo "  Phase 23 (Chain): YES - $(echo "$CONFIRMED_VULNS" | wc -l) confirmed to chain"

Chain-first strategy: Look at what's already confirmed in prior phases and ask "What can I chain WITH this?" before hunting new vectors. SSRF already confirmed + AWS detected = immediately go to IMDSv1 chain. Auth bypass confirmed = immediately check IDOR chain.

Phase 1 - Full Context Build

SSRF_VECTORS -> target these for cloud metadata chains
INTERNAL_IPS -> SSRF target list for lateral movement
JWT_TOKENS -> JWT confusion candidates (check alg header)
TECH_STACK -> picks specific phases to prioritize (see table below)
VERIFIED_CREDS -> credential spray on all surfaces before hunting new vulns
WAF -> Phase 2 first if WAF present
ALL_ENDPOINTS -> full attack surface for every subsequent phase

Phase priority by tech stack:

Tech detected	Run these phases FIRST
AWS + SSRF_VECTOR	Phase 8 -> Phase 12 (cloud asset chain)
Node.js + JWT	Phase 7 (JWT confusion), Phase 25 (prototype pollution)
Spring Boot	Phase 15 (SSTI/deserialization), Phase 16 (CI/CD)
OAuth/OIDC	Phase 7 (JWT), Phase 31 (SAML/SSO)
GraphQL	Phase 17 (introspection, batching)
React/webpack	Phase 18 (source maps), Phase 5 (JS bundles)
any	Phase 23 (chain blueprints) - always run this last

Execution Manifest

Write to session.json.scalpel.active_manifest before starting:

{
  "skill": "zerodayhunt",
  "target": "<target>",
  "items": [
    {"id": "zdh01", "priority": "MUST",     "tool": "waf-header-mining",  "target": "<target>", "status": "pending"},
    {"id": "zdh02", "priority": "MUST",     "tool": "github-js-sourcemap","target": "<target>", "status": "pending"},
    {"id": "zdh03", "priority": "MUST",     "tool": "ssrf-oob",           "target": "<target>", "status": "pending"},
    {"id": "zdh04", "priority": "MUST",     "tool": "jwt-saml-sso",       "target": "<target>", "status": "pending"},
    {"id": "zdh05", "priority": "MUST",     "tool": "chain-blueprints",   "target": "<target>", "status": "pending"},
    {"id": "zdh06", "priority": "SHOULD",   "tool": "business-logic",     "target": "<target>", "status": "pending"},
    {"id": "zdh07", "priority": "SHOULD",   "tool": "supply-chain",       "target": "<target>", "status": "pending"},
    {"id": "zdh08", "priority": "SHOULD",   "tool": "admin-infra",        "target": "<target>", "status": "pending"},
    {"id": "zdh09", "priority": "SHOULD",   "tool": "ssti-deser-xxe",     "target": "<target>", "status": "pending"},
    {"id": "zdh10", "priority": "SHOULD",   "tool": "cors-host",          "target": "<target>", "status": "pending"},
    {"id": "zdh11", "priority": "SHOULD",   "tool": "race-timing",        "target": "<target>", "status": "pending"},
    {"id": "zdh12", "priority": "SHOULD",   "tool": "cicd",               "target": "<target>", "status": "pending"},
    {"id": "zdh13", "priority": "SHOULD",   "tool": "graphql",            "target": "<target>", "status": "pending"},
    {"id": "zdh14", "priority": "IF_TIME",  "tool": "takeover-cloud",     "target": "<target>", "status": "pending"},
    {"id": "zdh15", "priority": "IF_TIME",  "tool": "mobile-apk",         "target": "<target>", "status": "pending"},
    {"id": "zdh16", "priority": "IF_TIME",  "tool": "client-proto",       "target": "<target>", "status": "pending"},
    {"id": "zdh17", "priority": "IF_TIME",  "tool": "file-crypto",        "target": "<target>", "status": "pending"},
    {"id": "zdh18", "priority": "IF_TIME",  "tool": "websocket-api",      "target": "<target>", "status": "pending"},
    {"id": "zdh19", "priority": "IF_TIME",  "tool": "xs-leaks",           "target": "<target>", "status": "pending"},
    {"id": "zdh20", "priority": "MUST",     "tool": "output",             "target": "<target>", "status": "pending"}
  ]
}

Technique Loader

Load the relevant technique file from ~/.claude/skills/zerodayhunt/tech/ based on active manifest item:

Manifest item	File	Phases covered
waf-header-mining	tech/waf-header-mining.md	Phase 2, 3, 20
github-js-sourcemap	tech/github-js-sourcemap.md	Phase 4, 5, 18
supply-chain	tech/supply-chain.md	Phase 6
jwt-saml-sso	tech/jwt-saml-sso.md	Phase 7, 31
ssrf-oob	tech/ssrf-oob.md	Phase 8, 32
business-logic	tech/business-logic.md	Phase 9, 27
race-timing	tech/race-timing.md	Phase 10, 21
takeover-cloud	tech/takeover-cloud.md	Phase 11, 12
mobile-apk	tech/mobile-apk.md	Phase 13
cors-host	tech/cors-host.md	Phase 14
ssti-deser-xxe	tech/ssti-deser-xxe.md	Phase 15
cicd	tech/cicd.md	Phase 16
graphql	tech/graphql.md	Phase 17
admin-infra	tech/admin-infra.md	Phase 19, 28
websocket-api	tech/websocket-api.md	Phase 22
chain-blueprints	tech/chain-blueprints.md	Phase 23
client-proto	tech/client-proto.md	Phase 24, 25
file-crypto	tech/file-crypto.md	Phase 26, 29
xs-leaks	tech/xs-leaks.md	Phase 30
output	tech/output.md	Evidence Classification + Output + Phase-End

Hypothesis-Driven Prioritization

After Phase 0, reprioritize manifest based on intel:

Condition	Move to MUST
`AWS_HINT=true` and any SSRF vector	ssrf-oob, chain-blueprints (Chain B/H)
`JWT_TOKENS` found	jwt-saml-sso
`TECH_STACK` contains Node.js	client-proto (prototype pollution)
`TECH_STACK` contains Java/Spring	ssti-deser-xxe
GraphQL endpoint discovered	graphql
GitHub org found in recon	github-js-sourcemap, supply-chain, cicd
E-commerce target	business-logic, race-timing
`SSRF_VECTORS` from exploit relay	ssrf-oob (escalate existing)
`CONFIRMED_VULNS` has any finding	chain-blueprints (always)

Skip ATW-flagged techniques. Doom loop guard in output.md.

Signal Reference

All signals emitted via emit_signal from _shared/signals.sh:

Signal type	When	Confidence
`VULN_CONFIRMED`	Full chain proven with evidence	0.93-0.97
`SURFACE_FOUND`	New attack surface (takeover, supply chain)	0.88-0.90
`CRED_FOUND`	Credential discovered and verified	0.92
`POTENTIAL`	Probe positive but chain unconfirmed	0.60-0.75