Platform OverviewATO PreventionEnterprise ProtectionRansomware Prevention
Knowledge CenterAPI DocsBlog
PricingContact
Get Free AccountLog In
Back to Intelligence Center
Bug Bounty & Research

Discover New Bug Bounty Angles with Leaked Data

Bug bounty hunting has become a sophisticated field where hunters need to stay updated with new techniques and approaches. Leveraging leaked credentials can provide a significant advantage.

WI

Whiteintel Team

Intelligence Division

Nov 1, 2024
8 min read
Bug Bounty Hero

This post dives deep into what leaked credentials and stealer logs are, how to find valuable assets with OSINT tools, and highlights critical SaaS services and CI/CD pipeline tools to target. Additionally, we will discuss nuances such as redirection to Microsoft for authorization and the importance of enumerating paths for hidden login pages.


What Are Leaked Credentials and Stealers?

Leaked credentials are sets of login details that have been exposed due to data breaches or malware logs. Stealer malware is designed to collect information from compromised systems, such as usernames, passwords, and cookies. These credentials often surface on dark-web forums and marketplaces, presenting both risks and opportunities for security professionals.

Whiteintel Dashboard
Figure 1: Incorporating leaked credentials into your bug bounty workflow

Incorporating leaked credentials into your bug bounty work--ethically and within program policies--can help you identify high-value vulnerabilities, especially when combined with detailed OSINT enumeration.


Increase Your Impact with OSINT Tools

OSINT tools can reveal exposed services and applications that might be overlooked. By integrating OSINT with leaked credential analysis, you can uncover assets such as SaaS instances and CI/CD platforms. Below are key tools and techniques:

Top OSINT Tools and Techniques

  • Subfinder: Discovers subdomains (e.g., admin.target.com, jira.target.atlassian.net).
  • Fofa: Searches for exposed services like Jira and GitLab. Queries: domain="atlassian.net".
  • Shodan: Scans for exposed devices. Use terms like http.title:"Jira".
  • Amass: Maps subdomains and identifies exposed services like ci.target.com.
  • ffuf / GoBuster: Invaluable for brute-forcing directories (e.g., /login, /admin) to find hidden portals.

Redirection to Microsoft for Authorization

In some cases, SaaS services are configured to redirect users to Microsoft for authentication through Azure AD. This adds an extra layer of complexity but can be a strong indicator of other accessible login endpoints that bypass the standard Microsoft flow.

Key Points: When encountering such redirection, look for alternate paths and login pages that might not be protected by SSO. Use ffuf and GoBuster to enumerate directories like /login.do, /auth, and /user.

ffuf -u https://company.atlassian.net/FUZZ -w /path/to/wordlist.txt -mc 200,302

Examples of High-Value SaaS Panels and CI/CD Tools

Below are examples of SaaS platforms and CI/CD tools that bug bounty hunters should target. These tools often contain critical data and are commonly found on subdomains.

SaaS Panels
  • Jira: Exposes project management data.
  • Confluence: Reveals internal documentation.
  • ServiceNow: Service management info.
  • Salesforce: Customer data and CRM records.
  • Bitbucket: Source code and configs.
  • Slack: Team communication.
CI/CD Pipeline Tools
  • Jenkins: Build and deployment configs.
  • GitLab CI/CD: Automated build deployment.
  • TeamCity: Sensitive configurations.
  • Travis CI: Check for environment variables.
  • CircleCI: Pipeline secrets.
  • Azure DevOps: Comprehensive code management.
Whiteintel Example Results for Bitbucket
Figure 2: Identifying SaaS instances via Whiteintel search

Identifying SaaS Instances and Hidden Login Pages

To maximize your findings, enumerate paths using tools like ffuf to scan for login endpoints. If initial subdomain enumeration yields no results, directly enumerate subdomains for popular SaaS domains (e.g., subfinder -d atlassian.net) and grep for your target's name.


Add a little bit of Sauce - Search with Whiteintel

Whiteintel.io provides powerful search capabilities that allow you to search by domain names, subdomain names, and email addresses. With our advanced search filters, you can quickly identify affected SaaS credentials related to your bug bounty target.

Whiteintel Affected URLs Page
Figure 3: Searching for notable compromised URLs

Sample Report Template for Submission

Title: [Unauthorized Access to [SaaS/CI/CD Panel] for [Target Name]]

Summary: A vulnerability was discovered on [e.g., jira.company.atlassian.net] using leaked credentials and OSINT tools...

Details:

  • Asset Type: [e.g., Jira panel]
  • Discovery Method: Leaked credentials + OSINT
  • Login Endpoints: [e.g., /login.do]

Steps to Reproduce:

  1. Access the target URL.
  2. Log in using verified credentials [following ethical guidelines].
  3. Note the presence of sensitive data.

How Whiteintel Helps Bug Bounty Researchers

Whiteintel is committed to empowering bug bounty researchers. Our newly launched Researcher License is tailored specifically for verified bug bounty hunters, offering exclusive access to extensive breach data, advanced search features, and real-time updates.

The Researcher License enables hunters to deepen their investigations, save valuable time, and submit high-impact reports by validating unauthorized access to systems using responsible methods.

To learn more about the Researcher License, contact us via the form at whiteintel.io.

Read Next

Supply Chain

Third-Party App Risks in the Age of Infostealer Malware

How organizations are opening doors to new cyber risks through third-party integrations.

Ready to Protect Your Digital Assets?

Start monitoring your organization's exposure to credential leaks and dark web threats today.

Get Started Free