Skip to content

v2.1 — community skills · CI gate · security fixes

Latest

Choose a tag to compare

@elementalsouls elementalsouls released this 05 Jun 16:15
872d9a2

Second major bundle release. 51 → 71 skills, a CI quality/safety gate, a docs site, and security fixes to the toolkit's own code.

✨ Added

  • 20 new hunt-* skills (community v3 expansion — thanks @muhsiindeniiz): hunt-lfi, hunt-nosqli, hunt-deserialization, hunt-cors, hunt-host-header, hunt-open-redirect, hunt-brute-force, hunt-session, hunt-ldap, hunt-nextjs, hunt-nodejs, hunt-dom, hunt-websocket, hunt-grpc, hunt-laravel, hunt-springboot, hunt-k8s, hunt-cicd, hunt-source-leak, hunt-tls-network. (28 → 48 hunt modules.)
  • CI skill-linter — validates every SKILL.md and blocks leaked secrets + client/engagement identifiers (SHA-256 denylist; plaintext names never enter the repo).
  • Docs site — GitHub Pages under docs/ with a searchable, auto-generated skill catalog.
  • Community infrastructure — issue/PR templates, CODEOWNERS, CODE_OF_CONDUCT.md, CHANGELOG.md, FUNDING.yml.
  • New hunt-auth-bypass function-level access control section; Azure App Service takeover fingerprint in hunt-subdomain.

🔒 Fixed (security — closes #13)

  • Path traversal (cbh recon) and arbitrary file write (cbh report --out) — real path containment.
  • Shell injection in the hunt.sh engagement scaffold — neutralized.
  • Q5 validation-gate logic (duplicates no longer pass).
  • Loud warning when --proxy disables TLS verification.

Credit: @sseshachala (report + fix), @muhsiindeniiz (skills), @xiaolai (earlier PRs).

💜 Sponsor

Atlas Cloud — full-modal AI inference, one API for video/image/LLM.

Full changelog: https://github.com/elementalsouls/Claude-BugHunter/blob/main/CHANGELOG.md