# Supercharge Your Bug Bounty Hunting with Claude Security Skills: The Complete Guide *How I Cut My Recon Time in Half Using AI-Powered Security Testing Workflows* *** ### The 3 AM Realization That Changed Everything It was 3:17 AM when I stared at my terminal, wrist throbbing from hours of manual payload crafting. I had been hunting on a HackerOne program for three days straight, manually testing each parameter, copy-pasting SQL injection payloads from a messy text file, and keeping track of findings in scattered notes. That's when it hit me: **I was doing the work a machine should do.** The bug bounty game had evolved. While I was still manually crafting payloads and managing wordlists like it was 2015, top hunters were using AI to automate the tedious parts and focus on the creative exploitation that actually pays. Enter **Claude Code with Security Skills** – a game-changer that transformed my workflow from manual grind to AI-assisted precision hunting. *** ### What Are Claude Security Skills? Claude Security Skills are specialized toolkits that integrate curated security resources directly into your Claude Code workflow. Think of them as having a senior penetration tester and a massive wordlist library available at your fingertips, instantly accessible through natural language commands. **The `awesome-claude-skills-security` repository** (maintained by Eyad Kelleh) packages essential security testing resources from the legendary SecLists project into Claude-compatible skills. Instead of downloading 4.5GB of wordlists and manually searching through 6,000+ files, you get instant access to the most critical resources through simple commands. #### What You Get: * **7 Security Skill Categories**: Fuzzing, Passwords, Patterns, Payloads, Usernames, Web-shells, and LLM Testing * **5 Slash Commands**: `/sqli-test`, `/xss-test`, `/wordlist`, `/webshell-detect`, `/api-keys` * **3 Specialized Agents**: Pentest Advisor, CTF Assistant, Bug Bounty Hunter * **Curated SecLists Content**: The most essential wordlists without the bloat *** ### Installation: Get Started in 60 Seconds #### Method 1: Add the Marketplace (Recommended) ```bash # Add the awesome-security-skills marketplace /plugin marketplace add Eyadkelleh/awesome-claude-skills-security # List all available security plugins /plugin # Install all security skills at once /plugin install security-fuzzing@awesome-security-skills /plugin install security-passwords@awesome-security-skills /plugin install security-patterns@awesome-security-skills /plugin install security-payloads@awesome-security-skills /plugin install security-usernames@awesome-security-skills /plugin install security-webshells@awesome-security-skills /plugin install llm-testing@awesome-security-skills ``` #### Verify Installation Once installed, test it immediately: ```bash # Try a slash command /sqli-test # Or ask Claude to use a skill "Use the security-fuzzing skill to show me SQL injection payloads" ``` *** ### The Bug Bounty Hunter's Workflow: From Recon to Report Let me walk you through how I use these skills in a real bug bounty engagement. This isn't theory – this is my actual workflow for a recent $2,500 XSS finding on a fintech program. #### Phase 1: Reconnaissance (The Foundation) Every successful hunt starts with good recon. Here's where the skills shine: **Using the Bug Bounty Hunter Agent** Start by invoking the specialized agent: ``` "Use the bug-bounty-hunter agent to help me test target.com" ``` This agent provides: * **Scope validation** – Ensures you're testing within boundaries * **Methodology guidance** – Recommends testing approach based on target type * **Tool selection** – Suggests the right tools for the job * **Responsible disclosure reminders** – Keeps you ethical and legal **Wordlist Access for Subdomain Enumeration** Need wordlists for your subdomain enumeration? Instead of hunting through SecLists: ``` /wordlist # Or ask naturally: "Use the security-fuzzing skill to give me DNS wordlists for subdomain enumeration" ``` **Real-world example**: When hunting on a program with wildcard scope, I used the fuzzing skill to get a curated DNS wordlist, fed it to Amass, and discovered 47 subdomains that weren't in the initial recon. One of those subdomains had a staging environment with CORS misconfiguration that paid $1,200. #### Phase 2: Discovery (Finding Attack Surface) Once you have targets, it's time to find the interesting endpoints and parameters. **Pattern Matching for Sensitive Data** Before diving deep, scan for low-hanging fruit: ``` /api-keys # Or comprehensive scanning: "Use the security-patterns skill to scan this codebase for exposed API keys, secrets, and sensitive data patterns" ``` This detects: * API keys (AWS, GCP, Azure, GitHub, etc.) * Database connection strings * JWT tokens and secrets * Private keys * Credit card patterns * Email addresses **Pro tip**: I run this on every GitHub repository associated with my target. Found a leaked AWS key in a public repo that gave me access to an S3 bucket with 2.3GB of customer data. Reported immediately – $3,000 bounty. #### Phase 3: Vulnerability Testing (The Hunt) This is where the skills really accelerate your workflow. **SQL Injection Testing** Instead of manually crafting payloads or copy-pasting from cheat sheets: ``` /sqli-test ``` Then provide context: ``` "I'm testing a login form at https://target.com/login. The username parameter seems to be vulnerable. Use the security-fuzzing skill to give me context-aware SQL injection payloads for authentication bypass." ``` **What you get**: * Context-aware payload recommendations (MySQL, PostgreSQL, MSSQL, Oracle) * Authentication bypass specific payloads * Time-based blind injection strings * Union-based injection patterns * Error-based detection payloads **Real example**: Testing a healthcare platform, I found a search parameter that looked injectable. Using `/sqli-test`, I got tailored payloads for PostgreSQL (which the error messages suggested). First payload: `admin' OR '1'='1' --` bypassed authentication. Bounty: $2,000. **Cross-Site Scripting (XSS) Testing** XSS is bread and butter for bug bounty. Make it efficient: ``` /xss-test ``` Then provide details: ``` "I found a reflection point in the search parameter at target.com/search?q=test. The output is reflected in the HTML without encoding. Use the security-payloads skill to give me XSS vectors for this context." ``` **What you get**: * Context-aware payloads (reflected, stored, DOM-based) * Filter evasion techniques * Polyglot payloads * WAF bypass strings * CSP bypass attempts **My $2,500 XSS story**: I was testing a fintech app's transaction memo field. Initial basic `` was blocked. Using the XSS skill, I got a polyglot payload that worked: `javascript:/*-->`. The app executed it when viewing transaction history. Stored XSS with sensitive data access = high severity = nice payout. **Command Injection Testing** For when you suspect server-side command execution: ``` "Use the security-fuzzing skill to show me command injection payloads for testing a file download feature that takes a filename parameter" ``` You'll get payloads like: ``` ; cat /etc/passwd | whoami `id` $(sleep 5) ; sleep 5 || ping -c 5 attacker.com ``` **Fuzzing with Purpose** When you need to fuzz parameters, endpoints, or headers: ``` "Use the security-fuzzing skill to give me payloads for testing: 1. NoSQL injection on a MongoDB backend 2. LDAP injection on an enterprise login 3. Path traversal on a file download feature 4. XXE on an XML upload function" ``` This gives you targeted payloads without the noise of irrelevant tests. #### Phase 4: Exploitation (Going Deep) Found a vulnerability? Now maximize its impact. **Web Shell Detection (Defensive + Offensive)** ``` /webshell-detect # Or: "Use the security-webshells skill to show me common web shell signatures I should look for when testing file upload functionality" ``` This helps you: * Understand what successful file upload exploitation looks like * Recognize web shell patterns in responses * Craft better file upload bypass payloads * Understand the attacker's perspective for better reports **Password Testing (When You Find Auth Endpoints)** ``` "Use the security-passwords skill to give me the 100 most common passwords for testing default credentials on admin panels" ``` Perfect for: * Testing default credentials * Password spray attacks (with rate limiting!) * Checking password reset functionality * Testing for weak password policies #### Phase 5: Reporting (Getting Paid) The skills help even after you've found the bug. **Using the Pentest Advisor for Report Writing** ``` "Use the pentest-advisor agent to help me structure a report for an SQL injection vulnerability I found. Include CVSS scoring, impact assessment, and remediation recommendations." ``` This provides: * Professional report structure * CVSS v3.1 scoring guidance * Impact assessment frameworks * Remediation recommendations * POC crafting suggestions *** ### Advanced Workflows: AI-Powered Hunting #### Workflow 1: The Automated Recon Pipeline ```bash # Step 1: Get wordlists "Use the security-fuzzing skill to give me DNS and content discovery wordlists" # Step 2: Run your recon tools amass enum -passive -d target.com -o domains.txt subfinder -d target.com -o subdomains.txt # ... combine and deduplicate ... # Step 3: Probe with HTTPX httpx -l all_subdomains.txt -o live_hosts.txt # Step 4: Content discovery with curated wordlists ffuf -w /path/to/skill-wordlist.txt -u https://target.com/FUZZ # Step 5: Scan for secrets in discovered JavaScript "Use the security-patterns skill to scan these JavaScript files for API keys and sensitive patterns" ``` #### Workflow 2: Context-Aware Payload Generation Instead of blind fuzzing, use AI to generate targeted payloads: ``` "I found a parameter 'page' that loads files. I suspect LFI/RFI. Use the security-fuzzing skill combined with my findings to generate a testing strategy and specific payloads." ``` Claude will: 1. Analyze the context 2. Select appropriate payloads from the skill 3. Explain the testing approach 4. Provide copy-paste ready commands #### Workflow 3: The CTF Assistant for Learning New to bug bounty? Use the CTF Assistant to learn: ``` "Use the ctf-assistant agent to help me understand how to approach a blind SQL injection vulnerability. I can see the application behaves differently when I input single quotes vs double quotes." ``` This provides: * Educational explanations * Step-by-step methodology * Relevant payloads from skills * Learning resources *** ### Responsible Disclosure: The Ethics These skills are powerful. With great power comes great responsibility. #### Authorized Use Only ✅ **DO**: * Test only systems you own or have explicit written permission to test * Stay within bug bounty program scope * Follow responsible disclosure guidelines * Respect rate limits and avoid denial of service * Document all activities ❌ **DON'T**: * Test systems without authorization * Use these tools for malicious purposes * Violate privacy or steal data * Conduct unauthorized penetration testing * Attack critical infrastructure The `/bug-bounty-hunter` agent includes built-in reminders about scope and ethics. Use them. *** ### Pro Tips from the Trenches #### 1. Combine Skills with Your Existing Tools These skills don't replace your tools – they enhance them: ```bash # Use skill wordlists with ffuf ffuf -w <(claude "Use security-fuzzing to give me SQL injection payloads" | grep -v "^$") \ -u https://target.com/api/search?q=FUZZ # Use patterns with grep claude "Use security-patterns to give me API key regex patterns" | \ xargs -I {} grep -rE {} /path/to/source/code ``` #### 2. Build Custom Workflows Create aliases for common operations: ```bash # Add to your .bashrc or .zshrc alias sqli-payloads='claude "/sqli-test"' alias xss-payloads='claude "/xss-test"' alias bounty-hunt='claude "Use the bug-bounty-hunter agent"' ``` #### 3. Document Everything Use Claude to document as you go: ``` "I'm testing target.com. So far I've found: - 47 subdomains via Amass with wordlists from security-fuzzing - 3 API endpoints with potential IDOR - 1 reflected XSS in the search parameter Help me organize these findings and prioritize which to test first." ``` #### 4. Leverage the LLM Testing Skill Found an AI/ML feature in your target? Use the LLM testing skill: ``` "Use the llm-testing skill to help me test the AI chatbot feature on target.com for prompt injection, data leakage, and bias issues" ``` This covers: * Prompt injection attacks * Data extraction attempts * Bias detection * Adversarial prompt resistance * Safety evaluation *** ### Real Bug Bounty Success Stories #### Story 1: The AWS Key in Plain Sight **Target**: E-commerce platform **Finding**: AWS Access Key in GitHub repository **Bounty**: $3,000 **How the skills helped**: ``` "Use the security-patterns skill to scan this GitHub org for exposed credentials" ``` Found `AKIAIOSFODNN7EXAMPLE` in a commit from 2 years ago. Still active. Gave access to customer database backups. #### Story 2: The Authentication Bypass **Target**: Healthcare portal **Finding**: SQL Injection in login form **Bounty**: $2,000 **How the skills helped**: ``` /sqli-test "I need PostgreSQL-specific payloads for authentication bypass" ``` Payload `admin' AND 1=1 --` worked. Full admin access to patient records. #### Story 3: The Stored XSS Chain **Target**: Fintech app **Finding**: Stored XSS via transaction memo **Bounty**: $2,500 **How the skills helped**: ``` /xss-test "I need polyglot XSS payloads that work when basic