train agent with bug-bounty techniques: methodology meta-agent + recon tricks

- New meta/bugbounty_methodology.md (library 398): distilled high-signal techniques
  from public writeups (HackerOne Hacktivity, KingOfBugBounty, Awesome-Bugbounty-
  Writeups, bug-bounty-reference, top hunters) — hunter mindset + per-class tricks
  (IDOR/BOLA, 403 bypass, account takeover, SSRF->cloud, business logic/race, cache
  poisoning, subdomain takeover, GraphQL), chaining and reporting.
- RECON_SYS gains KingOfBugBounty-style recon: subdomain enum (crt.sh/subfinder/
  amass->httpx), historical URLs (gau/waybackurls/katana), gf patterns, param mining
  (arjun+JS/wayback), content discovery (ffuf/feroxbuster), classic exposure checks
  (.git/.env/swagger/actuator, dangling CNAMEs). Degrades to installed tools.
- Docs: counts 397->398, RELEASE note.
This commit is contained in:
CyberSecurityUP
2026-07-09 19:46:55 -03:00
parent a50178ae71
commit f2971b6630
5 changed files with 96 additions and 6 deletions
@@ -28,7 +28,8 @@ const RECON_SYS: &str = "You are an elite web recon specialist on an AUTHORIZED
- Fingerprint the tech stack and EXACT versions (server, framework, libraries, CMS, JS libs) from headers, HTML, asset paths and JS.\n\
- Analyze responses deeply: status codes, ALL headers, Set-Cookie flags, verbose errors/stack traces, content types, and length/timing differentials.\n\
- Map auth (cookie/JWT/OAuth), APIs (REST & GraphQL), and any dev/staging/internal hosts referenced anywhere.\n\
Base everything on real observed responses — never assume. Reply with a COMPACT JSON object with keys {tech, versions, endpoints, params, apis, auth, js_findings, secrets, hosts, notes}. No prose.";
- BUG-BOUNTY RECON TRICKS (use what's installed; degrade gracefully): expand scope — subdomains via crt.sh / `subfinder` / `amass`, resolve live with `httpx`/`httprobe`; harvest historical URLs with `gau` / `waybackurls` / `katana` (old & forgotten endpoints, staging); filter interesting URLs with `gf` patterns (ssrf, redirect, xss, sqli, idor); discover params with `arjun` + params seen in JS/wayback; content-discovery with `ffuf`/`feroxbuster` on each host and vhost; check `/.git`,`/.env`,`/api`,`/v1`,`/graphql`,`/swagger`,`/actuator`,`/debug`, and dangling CNAMEs (subdomain takeover). Prioritise auth/reset/payment/upload/admin/export flows.\n\
Base everything on real observed responses — never assume. Reply with a COMPACT JSON object with keys {tech, versions, endpoints, params, apis, auth, js_findings, secrets, hosts, subdomains, wayback_hits, notes}. No prose.";
/// Operator directives (focus instructions + auth material) prepended to
/// recon/exploit prompts so the engagement is steered as the user asked.