Slash Command2k estrellas del repoactualizado 4d ago

surface

The /surface command generates a ranked attack surface prioritization for a target by analyzing cached reconnaissance data and hunt memory using the recon-ranker agent. Use it after running /recon to identify which endpoints to test first, organized into Priority 1 (highest value targets), Priority 2 (secondary targets), and a Kill List to skip, with technical context and testing suggestions for each entry.

Ver fuente Repositorio: Claude-BugHunter

Instalar en Claude Code

Copiar

mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/elementalsouls/Claude-BugHunter/HEAD/commands/surface.md -o ~/.claude/commands/surface.md

Después abre una sesión nueva de Claude Code; el slash command carga automáticamente.

Definición

surface.md

# /surface

View the prioritized attack surface for a target.

## What This Does

1. Reads cached recon output from `recon/<target>/`
2. Reads hunt memory for patterns and previously tested endpoints
3. Invokes the `recon-ranker` agent to produce a prioritized ranking
4. Outputs P1 (start here), P2 (after P1), and Kill List (skip)

## Usage

```
/surface target.com
```

## Prerequisites

Run `/recon target.com` first. If no recon data exists, you'll be prompted to run recon.

## Output

```
ATTACK SURFACE: target.com
═══════════════════════════════════════

Priority 1 (start here):
1. api.target.com/v2/users/{id} — IDOR candidate
   Tech: Express + PostgreSQL | First seen 12 days ago
   Suggested: numeric ID swap on GET/PUT/DELETE

2. api.target.com/graphql — introspection enabled, 47 mutations
   Suggested: field-level auth check on sensitive mutations

Priority 2 (after P1):
1. cdn.target.com:8443/upload — file upload endpoint
   Suggested: extension bypass, magic bytes

Kill List (skip):
- static.target.com — CDN only
- docs.target.com — third-party hosted

Memory:
- Pattern from alpha.com (same tech): auth bypass via method override ($800)
- 3 endpoints tested in previous session, 5 remain
```

Del mismo repositorio

autopilotSlash Command

Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]

chainSlash Command

Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain

huntSlash Command

Active vulnerability hunting. Two-track dispatcher — asks Red Team vs WAPT, hands off to hunt-dispatch skill and sibling commands. Usage: /hunt target.com | /hunt *.target.com | /hunt targets.txt [--vuln-class X] [--source-code P] [--chrome]

intelSlash Command

On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com

memory-gcSlash Command

Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.

pickupSlash Command

Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com

reconSlash Command

Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com

rememberSlash Command

Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember