Credential stuffing in Bug bounty hunting

Bug hunting is not always about looking for classic vulnerabilities (XSS, SQLi, SSRF, RCE, etc). Sometimes it is a search for a new problem domain. In this article, I will tell you how this not-so-standard approach to vulnerability searching helped me to find many critical problems.

One evening I came up with the idea of crossing Credential Stuffing and Bug bounty hunting. Credential stuffing is the search for leaked usernames and passwords for their use in popular online services, as most of the users love to use the same password everywhere. More often than…