There are several vulnerability classes which are quite easy to understand. Some are straightforward to hunt. However, this kind of vulnerabilities tend to be classified as Duplicates, because there are lots of hunters looking for them.
The vulnerability I’ll discuss today is an exception. It is relatively easy to identify, has a high success rate, and I have never seen it closed as a duplicate (which emphasizes how overlooked this bug is). I have reported bugs like this recently, and got quite well rewarded. This process can be efficient — from 10 minutes to an hour per target.
I am also going to share a tool that makes this even easier.
So, which bug is it?
Credential Stuffing. This is a growing threat in the Cybersecurity landscape, and it consists of using leaked credentials to login to a webpage. This vulnerability class is often overlooked but surprisingly impactful.
Credentials may end up in data breaches for several reasons. Malware, compromised databases, etc…
If done right, reporting these problems can genuinely help a company improve its web security. It is quite straightforward, as I am going to demonstrate.
How to get access to leaked credentials?
Well, there are several alternatives, but one stands out to me. BreachCollection is an advanced Data Leak Search Engine. You can use it to find credentials associated with a company, with an email, or credentials used to log in on a domain.
Alternatives to this website include, for example, Leakcheck.io, CheckLeaked.cc, etc… The downside of these websites, is that they make you pay a very hefty price for a “Enterprise” plan, in order to search for credentials associated with a company, which are precisely the credentials we are looking for.
In BreachCollection.com, every plan allows you to search for these credentials, making it the ideal choice for this particular use case.
Alternatively, you can also build your own database with leaked credentials, however, that is a very time expensive adventure, and also somewhat dangerous.
The Hunting Methodology
Logging in to BreachCollection, we find this search box on our dashboard:
We want to first, set this to “Email Domain” and enter the domain of the target company (an example query could be “example.com”). We will get all the credentials, on various login portals, which feature email addresses from a company. Now, it’s just a matter of testing them, if you have permission to do so.
You can test them manually, or use BurpSuite’s Intruder to automate the attack. If there are a lot of credentials and the login request seems easy to modify, it might be worth it to automate the process, but it is quite easy.
At this point, you have probably found quite a few credentials that work. Now, you can make the same query, but selecting “Domain” as your query type. You should try to focus on login pages made for internal use/employees, as these generally have the most impact. After trying those credentials, you should have a pretty good list of working credentials, and you are now ready to report them. Additionally, you can search for Personaly Identifiable Information (PII) leaks on BreachCollection, however, I did not find this feature particulally useful for Bug Bounties.
Conclusion
Reports of this nature can lead to high rewards, especially if you find credentials to an admin panel, which could critically compromise a company’s security.
Some companies prefer reports that categorize the severity as None (as it is not a bug inherent to the product), but do not worry, very commonly, Bonuses are paid, making this a great source of income.
Companies’ awareness to this bug class is growing, as this is a relatively new security issue.
You can register for free in BreachCollection and make queries, however, results will be censored for non-premium users.
Let me know in the comments your experience hunting this bug!
Disclaimer: Please check the rules of the program and platform that you are hunting on. Reports containing credentials from employees are generally welcome. User/Client credentials generate slightly more mixed reactions. Also, make sure to do this ethically, and respect everyone’s privacy. If you do this whole process in good faith, companies will generally reward you (with either a bug-bounty or monetary bonus). Unauthorized use of credentials — even leaked ones — may violate laws like the CFAA or GDPR. Only test under programs that allow it.
Top comments (0)