Share
## https://sploitus.com/exploit?id=E03BC38F-C1A9-53EB-8C66-DA3D6A7D80A9
# Claude Bug Bounty Hunter

**The AI-native bug bounty framework.** Claude acts as your co-pilot โ€” mapping attack surfaces, guiding hunts, validating findings, and writing your reports. You focus on the target. Claude handles the rest.

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
[![Python 3.8+](https://img.shields.io/badge/python-3.8+-blue.svg)](https://python.org)
[![Stars](https://img.shields.io/github/stars/shuvonsec/claude-bug-bounty?style=social)](https://github.com/shuvonsec/claude-bug-bounty/stargazers)

[Quick Start](#quick-start) ยท [Tools](#tool-reference) ยท [Pipeline](#full-hunt-pipeline) ยท [Claude Prompts](#claude-prompts) ยท [Install](#installation)



---

## What It Does

```
Target โ†’ Recon โ†’ Intel โ†’ Hunt โ†’ Validate โ†’ Report โ†’ Submit
```

Every step is Claude-assisted. Drop into Claude Code, point it at a target, and it will:

- Enumerate subdomains, live hosts, and crawl endpoints
- Pull CVEs and disclosed H1 reports for the detected tech stack
- Generate a prioritized attack mindmap
- Run scanners for IDOR, SSRF, XSS, SQLi, OAuth, GraphQL, LLM injection
- Walk you through the 4-gate validation checklist
- Write a submission-ready HackerOne or Bugcrowd report

---

## Quick Start

```bash
# Clone and install
git clone https://github.com/shuvonsec/claude-bug-bounty.git
cd claude-bug-bounty
chmod +x install_tools.sh && ./install_tools.sh

# Run a full hunt
python3 hunt.py --target hackerone.com

# Or step by step
./recon_engine.sh target.com
python3 learn.py --tech "nextjs,graphql,jwt" --target target.com
python3 hunt.py --target target.com --scan-only
python3 validate.py
python3 report_generator.py findings/
```

### With Claude Code (Recommended)

```bash
npm install -g @anthropic-ai/claude-code
cd claude-bug-bounty
claude
```

Then just talk:
> *"Run recon on target.com and tell me what to hunt"*
> *"I found a potential IDOR โ€” validate it"*
> *"Write a HackerOne report for this SSRF"*

Claude reads your recon files, reasons about the attack surface, and drives the tools.

---

## Tool Reference

### Core Pipeline

| Tool | What It Does |
|------|-------------|
| `hunt.py` | Master orchestrator โ€” chains recon โ†’ scan โ†’ report |
| `recon_engine.sh` | Subdomain enum, DNS resolution, live host detection, URL crawling |
| `learn.py` | Pulls CVEs + disclosed reports for a tech stack from GitHub Advisory + NVD |
| `mindmap.py` | Generates a Mermaid attack mindmap with a prioritized test checklist |
| `validate.py` | Interactive 4-gate validator โ€” scope, impact, duplicate check, CVSS score |
| `report_generator.py` | Outputs a formatted HackerOne/Bugcrowd markdown report |

### Vulnerability Scanners

| Tool | Targets |
|------|---------|
| `h1_idor_scanner.py` | Object-level + field-level IDOR via parameter swapping |
| `h1_mutation_idor.py` | GraphQL mutation IDOR โ€” cross-account object access |
| `h1_oauth_tester.py` | OAuth flows โ€” PKCE enforcement, state bypass, redirect_uri abuse |
| `h1_race.py` | Race conditions โ€” parallel request timing, TOCTOU |
| `zero_day_fuzzer.py` | Smart fuzzer for novel bugs scanners miss (logic, edge cases, access control) |
| `cve_hunter.py` | Fingerprints tech stack and matches against known CVEs |
| `vuln_scanner.sh` | Orchestrates nuclei + dalfox + sqlmap |

### AI / LLM Testing

| Tool | Targets |
|------|---------|
| `hai_probe.py` | Probes AI chatbot features for IDOR, prompt injection, data exfil |
| `hai_payload_builder.py` | Generates prompt injection payloads (direct, indirect, ASCII smuggling) |
| `hai_browser_recon.js` | Browser-side recon of AI feature endpoints |

### Utilities

| Tool | What It Does |
|------|-------------|
| `sneaky_bits.py` | JS secret finder + endpoint extractor from JS bundles |
| `target_selector.py` | Scores and ranks bug bounty programs by ROI |
| `scripts/dork_runner.py` | Google dork automation for passive recon |
| `scripts/full_hunt.sh` | Shell wrapper for the full pipeline |

---

## Full Hunt Pipeline

```bash
# 1. Recon โ€” enumerate subdomains, resolve DNS, find live hosts, crawl URLs
./recon_engine.sh target.com
# โ†’ recon/target.com/{subs.txt, live-hosts.txt, urls.txt}

# 2. Intel โ€” pull CVEs and prior disclosures for the tech stack
python3 learn.py --tech "nextjs,graphql,jwt" --target target.com
# โ†’ recon/target.com/intel.md

# 3. Attack map โ€” generate prioritized hunting checklist
python3 mindmap.py --target target.com --type api --tech "graphql,jwt"

# 4. Hunt โ€” run all scanners
python3 hunt.py --target target.com --scan-only

# 5. Validate โ€” 4-gate check before writing anything
python3 validate.py --output findings/target-finding.md

# 6. Report โ€” generate submission-ready markdown
python3 report_generator.py findings/
```

---

## Vulnerability Classes Covered


Web2 (click to expand)

| Class | Techniques |
|-------|-----------|
| **IDOR** | Object-level, field-level, GraphQL mutation, UUID enumeration |
| **SSRF** | Redirect chain bypass, DNS rebinding, cloud metadata (169.254.x), protocol abuse |
| **XSS** | Reflected, stored, DOM, postMessage, CSP bypass, mXSS |
| **SQLi** | Error-based, blind, time-based, ORM bypass, second-order |
| **OAuth** | Missing PKCE, state parameter bypass, redirect_uri abuse, implicit flow downgrade |
| **Race Conditions** | Parallel requests, TOCTOU, limit overrun, coupon reuse |
| **Cache Poisoning** | Unkeyed headers, parameter cloaking, fat GET |
| **Business Logic** | Price manipulation, workflow skip, negative quantity, role escalation |
| **File Upload** | Extension bypass, MIME confusion, polyglots, path traversal in filename |
| **XXE** | Classic entity injection, blind OOB via DNS/HTTP |
| **HTTP Smuggling** | CL.TE, TE.CL, TE.TE, H2.CL request tunneling |




AI / LLM Features (click to expand)

| Class | Techniques |
|-------|-----------|
| **Prompt Injection** | Direct override, indirect via document/URL, jailbreak chains |
| **Chatbot IDOR** | Cross-account history access, conversation ID enumeration |
| **System Prompt Leak** | Extraction via roleplay, encoding bypass, token boundary probing |
| **LLM RCE** | Code execution via AI tool use, sandboxed environment escape |
| **ASCII Smuggling** | Invisible unicode characters as covert exfil channels |




Web3 / DeFi (click to expand)

| Class | Techniques |
|-------|-----------|
| **Reentrancy** | Single-function, cross-function, cross-contract, read-only |
| **Flash Loan Attacks** | Price oracle manipulation, collateral inflation |
| **Access Control** | Missing `onlyOwner`, misconfigured roles, function visibility |
| **Integer Issues** | Overflow, underflow, precision loss, division before multiplication |
| **Signature Replay** | Missing nonce, chain ID not included, front-running signatures |



---

## Claude Prompts

Copy-paste these into Claude Code after running recon:

```
# Map the attack surface
"I've run recon on [target]. Here's live-hosts.txt and urls.txt.
What are the highest-priority endpoints to test for IDOR and why?"

# Tech-stack guided hunting
"Target uses NextJS + GraphQL + JWT auth. Rank the top 5 bug classes
I should hunt, ordered by payout likelihood on HackerOne."

# Validate a finding
"I found [vuln]. Here's the request and response. Walk me through
the 4 validation gates. What's the CVSS 3.1 score and business impact?"

# Write the report
"Write a HackerOne report for this [vuln type].
PoC steps: [1, 2, 3]. Target: [URL]. Impact: [what attacker can do]."

# Chain a low finding
"I have an open redirect at [URL]. How can I chain this into
an OAuth code theft or ATO? What conditions do I need?"
```

---

## Installation

**Prerequisites**

```bash
# macOS
brew install go python3 node jq

# Linux (Debian/Ubuntu)
sudo apt install golang python3 nodejs jq
```

**One-command install**

```bash
chmod +x install_tools.sh && ./install_tools.sh
```

Installs: `subfinder` `httpx` `dnsx` `nuclei` `katana` `waybackurls` `gau` `dalfox` `ffuf` `anew` `qsreplace` `assetfinder` `gf` `interactsh-client` `sqlmap` `XSStrike` `SecretFinder` `LinkFinder` + nuclei-templates

**Configuration**

```bash
cp config.example.json config.json
# Add your ProjectDiscovery Chaos API key and HackerOne token
```

---

## Output Structure

```
claude-bug-bounty/
โ”œโ”€โ”€ recon/
โ”‚   โ””โ”€โ”€ target.com/
โ”‚       โ”œโ”€โ”€ subs.txt           # All subdomains
โ”‚       โ”œโ”€โ”€ live-hosts.txt     # Live HTTP(S) hosts with status codes
โ”‚       โ”œโ”€โ”€ urls.txt           # Crawled URLs
โ”‚       โ””โ”€โ”€ intel.md           # CVE + disclosed report intel
โ”œโ”€โ”€ findings/
โ”‚   โ””โ”€โ”€ target-vuln-type.md   # Validated finding notes
โ””โ”€โ”€ reports/
    โ””โ”€โ”€ h1-report-YYYYMMDD.md # Submission-ready report
```

---

## Resources

- [HackerOne Hacktivity](https://hackerone.com/hacktivity) โ€” Disclosed reports
- [Bugcrowd Crowdstream](https://bugcrowd.com/crowdstream) โ€” Public findings
- [ProjectDiscovery Chaos](https://chaos.projectdiscovery.io) โ€” Free subdomain datasets
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) โ€” Payload reference
- [HackTricks](https://book.hacktricks.xyz) โ€” Attack technique bible
- [PortSwigger Web Academy](https://portswigger.net/web-security) โ€” Free vuln labs

---

## Legal

**For authorized security testing only.**

Only test targets within an approved bug bounty scope. Never test systems without explicit permission. Follow responsible disclosure โ€” report to the vendor, not publicly. Read each program's rules of engagement before hunting.

---

## Contributing

PRs welcome โ€” especially new vuln scanners, Claude prompt templates, and platform support (YesWeHack, Synack).

```bash
git checkout -b feature/my-scanner
git commit -m "Add: scanner for X vuln class"
git push origin feature/my-scanner
# Open a PR
```

---



MIT License ยท Built by bug hunters, for bug hunters

**Star โญ if this helped you find a bug**