Reference Guides Library
Quick-access reference library for bug bounty hunting. Use these when researching attack vectors, building payloads, or learning new vulnerability classes.
Usage
/greyhatcc:guides — Show full reference library/greyhatcc:guides <topic> — Show guides for a specific topic (e.g., "graphql", "oauth", "xss")
Context Loading (MANDATORY)
Before executing this skill:
- Load scope:
.greyhatcc/scope.json — verify target is in scope, note exclusions
- Load hunt state:
.greyhatcc/hunt-state.json — check active phase, resume context
- Load program files:
findings_log.md, tested.json, gadgets.json — avoid duplicating work
- Load memory: Check MEMORY.md for target-specific notes from previous sessions
Methodology & Workflow Guides
| Resource | URL | Focus |
|---|
| HowToHunt (KathanP19) | https://kathan19.gitbook.io/howtohunt | End-to-end bug hunting — recon, vuln hunting (XSS, SSRF, IDOR, business logic), report writing, tool setup, checklists |
| HackTricks (carlospolop) | https://book.hacktricks.xyz/ | Massive pentesting reference — web, infra, cloud (K8s, AWS), crypto (JWT, OAuth), bypasses, methodology flows |
| AllAboutBugBounty (daffainfo) | https://github.com/daffainfo/all-about-bug-bounty | Methodologies, payloads, writeups — recon, web/API testing, OAuth, JWT, tools, program selection |
| PayloadsAllTheThings (swisskyrepo) | https://github.com/swisskyrepo/PayloadsAllTheThings | 20+ vuln type payloads — XSS, SQLi, SSRF, LFI, race conditions, NoSQLi. Copy-paste ready |
| PortSwigger Web Security Academy | https://portswigger.net/web-security | Interactive labs — XSS, SQLi, SSRF, auth, access control, prototype pollution, HTTP smuggling |
| OWASP Testing Guide (v4.2+) | https://owasp.org/www-project-web-security-testing-guide/ | Official testing methodology — 10+ categories, structured checklists, GraphQL & serverless |
| Bug Bounty Roadmap (bittentech) | https://github.com/bittentech/Bug-Bounty-Roadmap | Structured learning path — tools, recon, vuln deep-dives |
Vulnerability-Specific Cheatsheets
Authentication & Authorization
Injection
| Resource | URL | Covers |
|---|
| XSS Payloads (payloadbox) | https://github.com/payloadbox/xss-payload-list | Comprehensive XSS payload collection — reflected, stored, DOM, filter bypass |
| SQLi Payloads (payloadbox) | https://github.com/payloadbox/sql-injection-payload-list | SQLi payloads for MySQL, PostgreSQL, MSSQL, Oracle, SQLite |
| SSTI Payloads (PayloadsAllTheThings) | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection | Jinja2, Twig, Freemarker, Pebble, Velocity, Smarty |
| SQLMap | https://sqlmap.org/ | Automated SQL injection — detection, exploitation, data exfil |
| XSS Hunter | https://xsshunter.trufflesecurity.com/ | Blind XSS callback service |
Server-Side Attacks
| Resource | URL | Covers |
|---|
| SSRF Bible (PayloadsAllTheThings) | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery | Cloud metadata, internal service discovery, protocol smuggling, bypass techniques |
| XXE Payloads (PayloadsAllTheThings) | https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection | OOB exfiltration, blind XXE, parameter entities |
| Deserialization (HackTricks) | https://book.hacktricks.xyz/pentesting-web/deserialization | Java (ysoserial), PHP (phar://), Python, .NET, Ruby gadget chains |
| Prototype Pollution (HackTricks) | https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution | Client-side, server-side, PP-to-RCE chains |
API & GraphQL
| Resource | URL | Covers |
|---|
| GraphQL Attacks (HackTricks) | https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql | Introspection, batching, DoS, field-level authz, alias abuse |
| GraphQL Voyager | https://graphql-kit.com/graphql-voyager/ | Visual GraphQL schema exploration |
| Clairvoyance | https://github.com/nikitastupin/clairvoyance | Blind GraphQL schema reconstruction when introspection disabled |
| API Security (OWASP) | https://owasp.org/API-Security/ | OWASP API Top 10 — BOLA, broken auth, excessive data exposure |
| Swagger/OpenAPI finder | Common paths: /docs, /api-docs, /v3/api-docs, /openapi.json, /swagger.json, /swagger-ui.html | API spec discovery |
HTTP Smuggling & Race Conditions
Cloud & Infrastructure
Mobile & Client-Side
Subdomain & DNS
Expert Methodology Videos & Courses
Books
| Book | Author | Focus |
|---|
| Bug Bounty Bootcamp | Vickie Li | Comprehensive beginner-to-intermediate guide |
| Web Hacking 101 | Peter Yaworski | Real-world HackerOne report breakdowns |
| The Web Application Hacker's Handbook | Stuttard & Pinto | Deep web app security methodology |
| Real-World Bug Hunting | Peter Yaworski | Curated disclosed bug writeups |
Context7 Live Documentation (MCP)
In addition to static references above, use Context7 MCP to pull up-to-date documentation for any technology found in the target's stack. This gives you framework-specific security details that static cheatsheets may not cover.
Usage Pattern
Step 1: Resolve the library
Use: mcp__Context7__resolve-library-id
libraryName: "<framework>"
query: "security vulnerabilities configuration"
Step 2: Query relevant docs
Use: mcp__Context7__query-docs
libraryId: "<resolved ID>"
topic: "<security-relevant topic>"
Recommended Queries by Tech
| Technology | libraryName | Query Topic |
|---|
| Next.js | next.js | security middleware CORS authentication API routes |
| Spring Boot | spring-boot | actuator security configuration CORS CSRF |
| Express | express | security middleware CORS helmet session |
| Django | django | security settings CSRF authentication middleware |
| Apollo GraphQL | apollo-server | introspection depth limiting authentication plugins |
| Flask | flask | security CORS session secret key |
| Laravel | laravel | authentication CORS middleware CSRF |
| Rails | ruby-on-rails | security CSRF authentication strong parameters |
| FastAPI | fastapi | security OAuth2 CORS dependencies authentication |
| AWS CDK/SDK | aws-cdk | S3 bucket policy IAM Cognito Lambda permissions |
| Firebase | firebase | security rules authentication storage Firestore |
| WordPress | wordpress | REST API authentication hooks security |
Why Context7 Matters for Bug Bounty
Static cheatsheets show attack patterns. Context7 shows what the framework does by default — the gap between default behavior and secure configuration is where bugs live. If the docs say "CORS allows all origins by default" and the target uses that framework, you have a high-confidence test vector.
State Updates
After completing this skill:
- Update
tested.json — record what was tested (asset + vuln class)
- Update
gadgets.json — add any informational findings with provides/requires tags for chaining
- Update
findings_log.md — log any confirmed findings with severity
- Update hunt-state.json if in active hunt — set lastActivity timestamp
How to Use During an Engagement
- Before testing a vuln type: Open the relevant cheatsheet section above
- Building payloads: Start with PayloadsAllTheThings, adapt to target
- Stuck on a vuln class: Read the HackTricks page + PortSwigger labs for that class
- Reviewing attack surface: Cross-reference HowToHunt checklist per asset type
- Writing reports: Follow OWASP naming for vuln types, reference CWE IDs from HackTricks
Quick Lookup by Vulnerability Type
XSS → PayloadsAllTheThings + payloadbox/xss-payload-list + PortSwigger labs
SQLi → PayloadsAllTheThings + payloadbox/sql-injection-payload-list + sqlmap
SSRF → PayloadsAllTheThings SSRF section + HackTricks
IDOR → HowToHunt IDOR section + AllAboutBugBounty
OAuth → HackTricks OAuth + OWASP cheatsheet
JWT → HackTricks JWT + jwt_tool
GraphQL → HackTricks GraphQL + clairvoyance
Race Cond → HackTricks + PortSwigger race conditions
SSTI → PayloadsAllTheThings SSTI section
Smuggling → PortSwigger request smuggling labs
Subdomain → can-i-take-over-xyz + HackTricks
Cloud → HackTricks Cloud + cloud_enum
Mobile → OWASP MAS + Frida + objection