Credential stuffing in Bug bounty hunting

Valeriy Shevchenko
6 min readJul 13, 2021

Bug hunting is not always about looking for classic vulnerabilities (XSS, SQLi, SSRF, RCE, etc). Sometimes it is a search for a new problem domain. In this article, I will tell you how this not-so-standard approach to vulnerability searching helped me to find many critical problems.

One evening I came up with the idea of crossing Credential Stuffing and Bug bounty hunting. Credential stuffing is the search for leaked usernames and passwords for their use in popular online services, as most of the users love to use the same password everywhere. More often than not, “black hats” hack accounts in various social networks, email services for subsequent scamming. But an idea occurred to me — what if we can try to apply this approach not to popular online services, but to specific services of a company with a bug bounty. Or checking credentials on the services often used in the development life cycle. So the right words about that story — It’s time to gather the stones in the right place.

popular service where you can check your email regarding data leaks

In general, there is nothing new in all this because of the full-fledged pentest cover over Credential Stuffing. Smart pentester always starts with already leaked credentials. But I haven’t noticed anyone using such things in the bug hunting.

At the time when I started it, there was not a single disclosed report about this problem reported…

--

--

Valeriy Shevchenko
Valeriy Shevchenko

Written by Valeriy Shevchenko

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Responses (1)