Skip to content

feat: add 8 new hunt-* skills (LLM injection, JWT confusion, GraphQL, OAuth/OIDC, cloud SSRF, WebSocket, supply chain, race conditions)#30

Open
sseshachala wants to merge 1 commit into
elementalsouls:mainfrom
sseshachala:feat/8-new-hunt-skills
Open

feat: add 8 new hunt-* skills (LLM injection, JWT confusion, GraphQL, OAuth/OIDC, cloud SSRF, WebSocket, supply chain, race conditions)#30
sseshachala wants to merge 1 commit into
elementalsouls:mainfrom
sseshachala:feat/8-new-hunt-skills

Conversation

@sseshachala

@sseshachala sseshachala commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds 8 new hunt skills covering modern attack surfaces. Motivated by issue #14.

Skill Gap filled Reports
hunt-llm-injection Prompt injection, indirect injection via RAG/tools, MCP hijacking, markdown exfil 23
hunt-jwt-confusion RS256→HS256 confusion, none alg bypass, kid SQL/path injection, jwks_uri spoofing 31
hunt-graphql Field-level IDOR, batching rate-limit bypass, injection via args, subscription hijacking 27
hunt-oauth-oidc redirect_uri bypass, PKCE downgrade, dynamic client registration, CSWSH 38
hunt-ssrf-cloud AWS IMDSv1/v2, GCP metadata, Azure IMDS, K8s SA token exfil — cloud-specific SSRF chains 44
hunt-websocket CSWSH, upgrade auth bypass, WS message injection, IDOR on channels 19
hunt-supply-chain Dependency confusion, GH Actions workflow injection, CDN SRI gaps, secrets in logs 22
hunt-race-conditions Double spend, coupon reuse, OTP rate limit bypass, state machine bypass 35

Format compliance

  • All descriptions ≤ 1024 chars ✅
  • All bodies ≤ 500 lines ✅
  • All follow: Crown Jewel Targets → Attack Surface Signals → Methodology → Automation → Chain Table → Validation ✅
  • Single responsibility per skill ✅
  • Cross-references to complementary existing skills included ✅

Relationship to existing skills

  • hunt-ssrf-cloud complements hunt-ssrf (cloud metadata paths + post-exploitation with harvested IAM creds)
  • hunt-oauth-oidc complements hunt-oauth (adds PKCE downgrade, dynamic client registration, OIDC-specific attacks)
  • hunt-race-conditions complements hunt-race-condition (adds HTTP/2 single-packet technique, state machine bypass, fintech double-spend)
  • hunt-websocket adds CSWSH PoC HTML, Socket.IO-specific techniques, WS message injection

Context

These skills will be integrated into Conduct AI's Security Loop — an automated security testing pipeline. Guard policies will be contributed back to the repo as patterns emerge from real engagements.

@sseshachala
feat: add 8 new hunt-* skills covering AI, cloud, and modern attack s…
f73098d 
…urfaces

New skills:
- hunt-llm-injection: prompt injection, indirect injection, MCP tool hijacking, exfil via markdown
- hunt-jwt-confusion: RS256→HS256 confusion, none bypass, kid injection, jwks_uri spoofing
- hunt-graphql: IDOR, batching bypass, SQL injection in args, SSRF via resolvers, subscriptions
- hunt-oauth-oidc: redirect_uri bypass, CSRF, PKCE downgrade, dynamic client registration
- hunt-ssrf-cloud: AWS IMDSv1/v2, GCP metadata, Azure IMDS, K8s SA tokens, IAM exfil
- hunt-websocket: CSWSH, auth bypass on upgrade, WS message injection, IDOR on channels
- hunt-supply-chain: dependency confusion, GH Actions workflow injection, CDN SRI gaps
- hunt-race-conditions: double spend, coupon reuse, OTP bypass, state machine attacks

Each skill follows the standard format: frontmatter ≤1024 chars, body ≤500 lines,
Crown Jewel Targets → Attack Surface Signals → Methodology → Automation → Chain Table → Validation.

Addresses issue elementalsouls#14.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elementalsouls elementalsouls Awaiting requested review from elementalsouls elementalsouls is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sseshachala