Share
## https://sploitus.com/exploit?id=1ADB854B-638B-5083-8DC1-BACC5F34AB9C
# CRUXSS Bug Bounty Agent

A semi-autonomous bug bounty hunting agent built on [Claude Code](https://claude.ai/code).
Executes the full offensive security pipeline with engagement-aware scope enforcement,
token-efficient architecture, and structured output for every finding.

```
New Engagement โ†’ Recon โ†’ Threat Model โ†’ Hunt โ†’ Validate โ†’ Report
```

Every phase pauses for human approval. Reports are never auto-submitted.
Every test maps to a CRUXSS ID cross-referenced with OWASP, MITRE ATT&CK, and CWE.

---

## What This Is

Bug bounty hunting involves a repeatable workflow โ€” recon, threat modeling,
vulnerability testing, validation, and reporting. This project automates the
mechanical parts of that workflow while keeping a human in the loop for every
decision that matters.

The agent is **engagement-first**: before touching any target, it reads the
full program policy, extracts all rules and restrictions, identifies the
highest-value targets, and enforces everything automatically throughout testing.
Different programs have different scopes, rate limits, forbidden techniques,
and required headers โ€” the agent handles all of it per engagement.

---

## Architecture

```
.claude/commands/
โ””โ”€โ”€ cruxss.md              โ† single entry point (~400 tokens at startup)

agents/                    โ† loaded on demand, not at startup
โ”œโ”€โ”€ engagement-intake.md   โ† parses program policy, CSV, PDF, or URL
โ”œโ”€โ”€ scout.md               โ† discovers programs via HackerOne API
โ”œโ”€โ”€ scope-analyst.md       โ† extracts rules and generates engagement files
โ”œโ”€โ”€ bb-agent.md            โ† runs phases 1-3 (recon, threat model, hunt)
โ””โ”€โ”€ report.md              โ† validates findings and drafts reports

phases/                    โ† methodology, loaded one file at a time
โ”œโ”€โ”€ 01-recon.md            โ† OSINT, DNS, cloud assets, fingerprinting
โ”œโ”€โ”€ 02-learn.md            โ† threat modeling, disclosed reports, crown jewels
โ”œโ”€โ”€ 03-hunt/               โ† 15 individual topic files (IDOR, SSRF, XSS, etc.)
โ”œโ”€โ”€ 04-validate.md         โ† 7-Question Gate, CVSS 3.1, findings summary
โ””โ”€โ”€ 05-report.md           โ† report templates, human-tone rules, escalation

checklists/                โ† CRUXSS pentest checklists (OWASP / MITRE mapped)
templates/                 โ† blank engagement template
examples/                  โ† redacted real findings showing output format
session/                   โ† per-engagement folders (private repo, gitignored)
```

**Token efficiency:** The agent loads ~400 tokens at startup instead of loading
all methodology files upfront. Individual phase files and hunt topics are loaded
only when needed, reducing active context by ~85% compared to a naive approach.

---

## Key Features

### Engagement-First Scope Enforcement

Every engagement starts with a scope briefing. The agent accepts program policy
via paste, CSV download, URL, or PDF โ€” extracts all rules, restrictions, and
crown jewels โ€” and enforces them automatically throughout testing.

```
/cruxss new

โ†’ "How are you providing scope?"
  1. Paste policy text
  2. Paste CSV from scope table
  3. Program URL (fetches automatically)
  4. PDF documentation
  5. Multiple sources combined

โ†’ Extracts: in-scope assets, out-of-scope assets, rate limits,
  required headers, forbidden techniques, crown jewels, rejection list

โ†’ Confirms with operator before saving

โ†’ Enforces everything automatically during testing
```

### Program Discovery via HackerOne API

```
/cruxss find

โ†’ Queries HackerOne API for public programs
โ†’ Scores each by opportunity (bounty range, scope size, untested assets,
  fast payments, safe harbour, active campaigns)
โ†’ Returns ranked top 10 with rationale
โ†’ Feeds directly into engagement setup
```

### Semi-Autonomous Pipeline

The agent runs each phase fully, then pauses for approval:

```
Phase 1: Recon         โ†’ asset discovery, fingerprinting, quick wins
Phase 2: Threat Model  โ†’ crown jewel identification, attack surface mapping
Phase 3: Hunt          โ†’ targeted vulnerability testing per engagement rules
Phase 4: Validate      โ†’ 7-Question Gate, CVSS scoring, deduplication check
Phase 5: Report        โ†’ structured draft ready for manual submission
```

### Multi-Engagement Support

Each program gets an isolated session folder. Switch between active
engagements instantly without losing context:

```
/cruxss switch 
```

### Aโ†’B Bug Chaining

When a lead is confirmed, the agent checks known chain patterns
and suggests escalation paths:

```
/cruxss chain 

SSRF โ†’ cloud metadata โ†’ IAM credential exfil โ†’ potential RCE
Open redirect โ†’ OAuth redirect_uri โ†’ auth code theft โ†’ ATO
IDOR (read) โ†’ PUT/DELETE same endpoint โ†’ full data manipulation
```

---

## Quick Start

### Prerequisites
- [Claude Code](https://claude.ai/code) installed and authenticated
- Go 1.21+, Python 3.10+, Node 18+
- Kali Linux or any Debian-based system (recommended)

### Install
```bash
git clone https://github.com/cruxN3T/cruxss-bb-agent.git
cd cruxss-bb-agent
bash bb-agent-setup.sh
```

### Register with Claude Code
```bash
claude --add-dir .
```

### Start a new engagement
```bash
claude
/cruxss new
```

Full setup guide including VirtualBox shared folder, Obsidian integration,
and two-repo security architecture: [SETUP.md](SETUP.md)

---

## Command Reference

| Command | What it does |
|---|---|
| `/cruxss new` | Start a new engagement โ€” intake scope and rules |
| `/cruxss find` | Discover programs via HackerOne API |
| `/cruxss start ` | Begin hunt pipeline on a set-up engagement |
| `/cruxss switch ` | Switch to a different active engagement |
| `/cruxss hunt` | Continue Phase 3 on current engagement |
| `/cruxss validate` | Run 7-Question Gate on current leads |
| `/cruxss report ` | Draft report for a validated finding |
| `/cruxss status` | Show all engagements and their state |
| `/cruxss scope` | Show current engagement rules |
| `/cruxss chain ` | Suggest B/C chains from Bug A |

---

## Checklist Coverage

Five professional pentest checklists with CRUXSS IDs mapped to
OWASP, MITRE ATT&CK, and CWE references:

| Checklist | Standards | CRUXSS Prefixes |
|---|---|---|
| Web Application | OWASP WSTG v4.2 | CRUXSS-INFO, CRUXSS-ATHN, CRUXSS-ATHZ, CRUXSS-SESS, CRUXSS-INPV, CRUXSS-BUSL, CRUXSS-CLNT |
| API Security | OWASP API Top 10 2023 | CRUXSS-API-DISC, CRUXSS-API-AUTH, CRUXSS-API-INPV, CRUXSS-API-GQL |
| Cloud | CIS Benchmarks, MITRE ATT&CK Cloud | CRUXSS-CLD-IAM, CRUXSS-CLD-COMP, CRUXSS-CLD-NET, CRUXSS-CLD-ATK |
| External Network | PTES, NIST SP 800-115, MITRE ATT&CK | CRUXSS-EXT-RCON, CRUXSS-EXT-SCAN, CRUXSS-EXT-EXPL |
| Internal Network | PTES, BloodHound AD paths | CRUXSS-INT-CRED, CRUXSS-INT-LAT, CRUXSS-INT-PRIV, CRUXSS-INT-DOM |

---

## Security Model

**Public repo:** methodology, tooling, checklists, redacted examples.
No program names, no credentials, no findings, no target data.

**Private repo (`cruxss-sessions`):** all engagement data โ€” session notes,
leads, validated bugs, drafted reports. Never public.

**Local only:** HackerOne API credentials (`~/.config/cruxss/`),
Claude Code API key (`~/.claude/`). Never in any repo.

Pre-commit secret scanning blocks accidental credential commits.
GitHub push protection adds a second layer.

---

## The Core Rule

Before reporting anything, the agent asks:

> *"Can an attacker do this RIGHT NOW against a real user who took NO
> unusual actions โ€” and does it cause real harm?"*

If the answer is not a clear YES โ€” the finding is dropped.
Only findings that pass the full 7-Question Gate get drafted into reports.

---

## Requirements

| Tool | Version | Purpose |
|---|---|---|
| Claude Code | latest | Agent runtime |
| Go | 1.21+ | Recon tools (subfinder, httpx, nuclei, ffuf, etc.) |
| Python | 3.10+ | Supporting tools (semgrep, arjun, detect-secrets) |
| Node | 18+ | Claude Code and tooling |
| Git | any | Version control |

---

## Contributing

Pull requests welcome.

To add a new test:
1. Add it to the relevant `phases/03-hunt/.md` with a `CRUXSS-ID`
2. Update the corresponding `.xlsx` checklist in `checklists/`
3. If it introduces a new chain pattern, add it to the chain table in `CLAUDE.md`
4. Update the checklist coverage table in this README

To report a security issue with this tool: see [SECURITY.md](SECURITY.md)

---

## License

MIT โ€” see [LICENSE](LICENSE)