Hunt brute force and rate limiting gaps
hunt-brute-forceskillsetup L1★1,791
elementalsouls/Claude-BugHunter ↗What it does
Hunt Missing/Weak Rate Limiting — login brute
Best for
Use for hunt missing/weak rate limiting — login brute force, otp/2fa brute force (10^6 keyspace), password-reset-token brute, credential stuffing, username/email enumeration via error-string / status-code / timing differences, weak password policy, missing captcha, ip-based rate-limit bypass via x-forwarded-for and friends, redos. distinguishes hard lockout vs soft ip-throttle vs captcha-injection vs silent shadow-throttling (avoids false-negative 'no rate limit' conclusions). medium to critical depending on what the brute reaches (otp→ato = critical).
Inputs
- · target
- · test vectors
- · payloads
Outputs
- · vulnerability report
- · PoC code
- · impact assessment
Requires
- · curl
- · HTTP client
Preconditions
Required dependencies and environment setup — see body for details
Failure modes
See documentation for known limitations and edge cases
Trust signals
- · Skill: skill
- · Repository: elementalsouls/Claude-BugHunter