Find CSRF vulnerabilities in web apps

hunt-csrfskillsetup L1★1,791

What it does

Hunting skill for csrf vulnerabilities. Built from

Best for

Use for hunting skill for csrf vulnerabilities. built from 15 public bug bounty reports including modern variants — samesite=lax sibling-subdomain bypass (argo cd cve-2024-22424), graphql mutations-via-get (gitlab $3,370), framework-wide csrf middleware disabled (stripe dashboard $5,000), path-traversal csrf-token bypass (github enterprise cve-2022-23732 $10k), origin-omission bypass (tiktok $2,500), oauth-state null-byte (streamlabs), websocket csrf / cswsh (coda), default-samesite email-change → ato (yoyo games $400), social-account-link csrf (hackerone), json-csrf via text/plain on email-change (tiktok $500). use when hunting modern csrf — heavy emphasis on chain-to-ato patterns.

Inputs

· target
· test vectors
· payloads

Outputs

· vulnerability report
· PoC code
· impact assessment

Requires

· curl
· HTTP client

Preconditions

Required dependencies and environment setup — see body for details

Failure modes

See documentation for known limitations and edge cases

Trust signals

· Skill: skill
· Repository: elementalsouls/Claude-BugHunter