Skills

hunt-aspnet

Installation
SKILL.md

Crown Jewel Targets

ASP.NET deserialization bugs pay among the highest amounts in bug bounty when they reach RCE. Even when patched, the disclosure-tier findings (signed-only ViewState, dual-parser differential, request-validator quirks) reliably pay Low-Medium.

Highest-value targets:

  • SharePoint farms (any version — 2013/2016/2019/SE) — sign-only ViewState + permissive ToolPane.aspx + anonymous FormDigest creates the CVE-2025-53770 ToolShell precondition chain
  • Telerik UI for ASP.NET AJAXTelerik.Web.UI.WebResource.axd is a documented RCE sink when keys leak (CVE-2017-11317, CVE-2017-11357, CVE-2019-18935)
  • Classic ASP.NET Webforms enterprise apps — banking portals, dealer portals, HR systems left on .NET Framework 4.x
  • WCF services (*.svc?WSDL) — often forgotten admin endpoints with looser auth than the main app
  • Sitecore CMS — ViewState + Sitecore-specific deserialization chains (CVE-2021-42237)
  • DotNetNuke (DNN) — historic ViewState RCE chains
  • Umbraco CMS — ViewState + custom deserialization sinks

Asset types that pay most: internet-reachable ASP.NET Webforms apps > WCF admin services > Telerik-integrated sites > Classic ASP.NET MVC with VSF (very rare)

Attack Surface Signals

Installs
35
Repository
elementalsouls/…ughunter
GitHub Stars
2.6K
First Seen
May 24, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
hunt-aspnet — elementalsouls/claude-bughunter