HUNT-TLS-NETWORK — TLS/SSL & DNS Security

Reality Check (Read First)

Most findings in this class are Info/Low and routinely rejected as "best-practice" / "missing-hardening" by triage. This skill exists to stop you wasting a submission. Two questions before you report anything here:

1. Is there a real victim and a real action? "Missing HSTS" is not a vulnerability — demonstrated session-cookie capture from a victim you MitM'd is. "Missing CAA" is never a vulnerability you can demonstrate.
2. Does the program accept it? Many programs explicitly list missing SPF/DMARC, missing security headers, weak ciphers without exploit, and CAA as out of scope. Read scope first; quote the in-scope line in your report.

What actually pays in this class (in order):

• Dangling-CNAME / dangling-A subdomain takeover — you control content on target.com subdomain. Real impact, real bounty. (Owned in depth by hunt-subdomain; covered here for the TLS/DNS recon angle.)
• Spoofable DMARC, proven by delivered-to-inbox email — not "p=none exists" but an actual mail from ceo@target.com landing in a real inbox with a passing/none DMARC verdict in the headers.
• DNS AXFR returning internal hosts — full internal hostname/IP map. Concrete recon value, often Medium.
• mTLS / client-cert bypass on an internal service — reaching authenticated-only functionality without the cert. Real auth bypass = High.
• Exploited TLS weakness with a working decrypt/MitM PoC — almost never achievable remotely in 2024-2026 against a patched stack; see Phase 1 caveats.

What does NOT pay (do not report standalone): missing CAA, missing HSTS with no MitM PoC, missing security headers alone, weak-cipher support without an exploit, self-signed cert on a non-prod host, TLS 1.0/1.1 enabled without a downgrade victim.