Member-only story
Credential stuffing in Bug bounty hunting
Bug hunting is not always about looking for classic vulnerabilities (XSS, SQLi, SSRF, RCE, etc). Sometimes it is a search for a new problem domain. In this article, I will tell you how this not-so-standard approach to vulnerability searching helped me to find many critical problems.
One evening I came up with the idea of crossing Credential Stuffing and Bug bounty hunting. Credential stuffing is the search for leaked usernames and passwords for their use in popular online services, as most of the users love to use the same password everywhere. More often than not, “black hats” hack accounts in various social networks, email services for subsequent scamming. But an idea occurred to me — what if we can try to apply this approach not to popular online services, but to specific services of a company with a bug bounty. Or checking credentials on the services often used in the development life cycle. So the right words about that story — It’s time to gather the stones in the right place.
In general, there is nothing new in all this because of the full-fledged pentest cover over Credential Stuffing. Smart pentester always starts with already leaked credentials. But I haven’t noticed anyone using such things in the bug hunting.
At the time when I started it, there was not a single disclosed report about this problem reported through bug bounty platforms. And my suspicions were confirmed after not quite adequate behavior of one of the platforms (about this later). I.e. before such an approach to the infiltration, no one used it. I shared this idea with one of my friend. Together we were very successful in finding the real threats. At the good bug bounty programs with nice rewards at the end.
It is worth noting that some bug bounty programs have in their rules described that the use of leaked credentials is forbidden. There are reasons for that. If every bug hunter starts looking through the leaked data with a real username, it could lead to account blocking on a particular service. In order not to create such risks for the company’s employees — some decide to move such an area of testing out of the scope. But at the same time, it is strange because any good pentest assumes such a course of events. And if a bug bounty is a reduction of risks. This risk should also be considered and…
