HackTricks Search Skill

Purpose

Use this skill to reliably discover and extract the most relevant HackTricks pages for a given technique, vulnerability class, bypass, or exploitation workflow, then pull the exact sections needed (payloads, prerequisites, caveats, and defensive notes).

HackTricks can be inconsistently indexed across search engines. This skill therefore defines two search backends:

Primary: Exa-based web search with strict site scoping.
Secondary: DuckDuckGo dorks with strict site scoping and noise reduction.

Use the secondary backend when:

Exa results are sparse or irrelevant.
You need very tight matching by title/path/keyword.
You want reproducible dork sets for common vuln classes.

Scope Guardrails

Only target content under:

https://book.hacktricks.wiki/en/

Avoid unrelated mirrors, translations, or cached copies unless explicitly requested.

Inputs

Topic: a short phrase describing the target, example: “DOM XSS bypass”, “XXE parameter entities”, “CSRF SameSite bypass”.
Optional: vuln class (XSS, XXE, CSRF, SSRF, SSTI, IDOR, Smuggling, Deserialization, Cloud).
Optional: constraints (framework, language, cloud provider, WAF, browser).

Workflow

Search: Execute Exa first. If results are shallow, use DDG dorks or Exa to query DDG.
Verify: Ensure the URL is under the /en/ subtree and matches the target TTP (Tactics, Techniques and Procedures).
Fetch: Use the web_fetch tool for all book.hacktricks.wiki URLs. DO NOT use read_file.
Extract: Focus on:
- Payloads and variants
- Preconditions / limitations (e.g., IMDSv2, TTL, Hop Limit)
- Bypass techniques
- Detection / hardening notes
Pivot: If a page is an index or high-level overview (like cloud-ssrf.html), perform a follow-up search or fetch sub-pages mentioned in the text for specific payloads (e.g., ECS vs EC2).
Return:
- The selected URLs
- The extracted payloads / steps
- Any prerequisites and constraints

Backend A: Exa Search (Primary)

Generic pattern

web_search_exa({
  query: "site:book.hacktricks.wiki/en <topic>",
  include: ["https://book.hacktricks.wiki/en/*"]
})

Tighten results (recommended)

web_search_exa({
  query: "site:book.hacktricks.wiki/en (<high-entropy keywords>) (<bypass|payload|trick|technique>)",
  include: ["https://book.hacktricks.wiki/en/*"]
})

Notes:

Prefer 1–3 high-entropy tokens over long keyword chains (page slugs, function names, CVE IDs, unique headings).
If Exa returns index pages, pivot to deeper subpages under the same directory.

Backend B: DuckDuckGo Dorking (Secondary)

DuckDuckGo query semantics are not identical to Google “dorking”. Adjust how you construct queries:

Do not assume implicit AND across space-separated terms. Use high-entropy anchors (slugs, quoted phrases, intitle/inurl).
DuckDuckGo can relax constraints and show “related results” if an operator-heavy query yields few/no hits. When this happens, tighten with slugs/quotes rather than adding generic keywords.
+term is a relevance boost, not a strict requirement.
Prefer site: + inurl: / intitle: + quoted phrase + negative filters over boolean-style chains.

Supported operators you should rely on:

Quotes for exact phrases
Exclusion -term and -site:example.com
site:, inurl:, intitle:, filetype: (limited set)

Baseline template (DDG-correct)

site:book.hacktricks.wiki inurl:/en/ <high-entropy tokens> -inurl:/print -inurl:/index -inurl:/tags

Targeted Search Playbooks (Slug-first)

These playbooks are designed to work well with DuckDuckGo by anchoring on stable HackTricks slugs and directories.

XSS playbook

site:book.hacktricks.wiki inurl:/en/pentesting-web/xss-cross-site-scripting/ (csp OR waf OR bypass OR payload) -inurl:/print -inurl:/index

XXE playbook

site:book.hacktricks.wiki inurl:/en/pentesting-web/ inurl:xxe-xee-xml-external-entity (DTD OR "parameter entity" OR payload) -inurl:/print -inurl:/index

SSRF playbook (Including Cloud)

site:book.hacktricks.wiki inurl:/en/pentesting-web/ssrf-server-side-request-forgery/ (metadata OR cloud OR "169.254" OR "169.254.170.2" OR bypass) -inurl:/print -inurl:/index

Cloud Pentesting Playbook (AWS/GCP/Azure)

site:book.hacktricks.wiki inurl:/en/ (pentesting-web OR pentesting-cloud) (aws OR gcp OR azure) (ssrf OR privilege OR "metadata-service" OR iam) -inurl:/print -inurl:/index

SSTI playbook

site:book.hacktricks.wiki inurl:/en/pentesting-web/ssti-server-side-template-injection/ (payload OR bypass OR sandbox) -inurl:/print -inurl:/index

IDOR playbook

site:book.hacktricks.wiki inurl:/en/pentesting-web/ (idor OR "insecure direct object reference" OR "broken access control") -inurl:/print -inurl:/index

Verification Checklist (Before Fetch)

URL starts with the /en/ subtree.
The slug matches the intended vuln class (or at least the intended technique).
The page is not an index-only aggregator when you need payload detail.
If DuckDuckGo returns “related results”, reduce generic terms and increase specificity (slug + quoted phrase).

Fetch and Extraction

After selecting URLs, always use web_fetch. Extract:

Section headers that contain payloads, bypasses, PoCs
Any prerequisites (versions, libraries, browser constraints)
Any “gotchas” (encoding, parsing differences, WAF behaviors, Cloud-specific hurdles like IMDSv2 tokens)

Return results in a minimal structure:

{
  "topic": "<topic>",
  "selected_urls": [
    "https://book.hacktricks.wiki/en/..."
  ],
  "extracted": [
    {
      "url": "https://book.hacktricks.wiki/en/...",
      "sections": ["<header 1>", "<header 2>"],
      "payloads_or_steps": ["<payload/step 1>", "<payload/step 2>"],
      "constraints": ["<constraint 1>", "<constraint 2>"]
    }
  ]
}

Notes for Pentesters

Prefer subtree-restricted searches first (example: xss-cross-site-scripting, ssrf-server-side-request-forgery).
Pivot Strategy: If a page mentions an environment variable (e.g., AWS_CONTAINER_CREDENTIALS_RELATIVE_URI), look for the section explaining how to leak it.
IMDSv2 Note: Always check if a payload requires a PUT request for a token (IMDSv2) or if it's a simple GET (IMDSv1).
When you find a strong index page, pivot to deeper subpages under the same directory for payload detail.

pentest-hacktricks-finder