How I got Access to an Employee Only Portal — Bug Bounty

Some bugs might take very long to find, but others reveal themselves quickly, if you know where to look.

Jeosantos

~4 min read · October 20, 2025 (Updated: October 20, 2025) · Free: Yes

The bug I am going to present is a story of how being quick to react to program updates might land you bounties easier than you think.

The Program Update that started it all

I was browsing Bug Bounty Programs when I saw this update in the Activity feed:

As you can see, the program spotlighted the subdomain cas.redacted.com, which is an application intended for internal use only. This gives us a special opportunity, as some bugs might go up in severity or be eligible for bonuses.

The Bug I had in mind

Considering this was an Internal Only Application, intended for the target's crew members, I figured the most impactful thing I could do was to bypass the login process to get access to it.

Also, if I was not logged in, I couldn't test for many things, anyway.

This made me think about the easiest way to bypass the authentication and have access to the Crew Accreditation System was via Credential Stuffing!

In short, to test for Credential Stuffing, you need to use credentials that were previously leaked on Data Breaches to try to log in.

Credentials might end up in Data Breaches for various reasons, such as Malware or compromised servers. This gives us the oportunity to use them to bypass login forms on some Bug Bounty programs or Pentesting targets!

This vulnerability class is often overlooked but surprisingly impactful!

Hunting

In order to get access to these Leaked Credentials, you shall use a service that aggregates these leaks for you. My favorite is BreachCollection, as it combines a very big database with fair pricing, however, any good Data Breach Search Engine should be enough for the job (I wrote an article presenting the different options).

Making a "Domain" query (which means we are looking for all the credentials that log us into a domain) with our target on BreachCollection, we find thousands of credentials, but there is still the need to filter them, so they are from the subdomain we wish (cas.{redacted.com}).

Example of a Domain type of query

As you can see, we have found results for the Desired Subdomain.

Having gathered the credentials that belonged to the desired subdomain, it was now time to test them.

I found a working set of credentials, which meant that I had access to the employee-only system!

A short snippet of the contents of the Employee-Only Panel

I reported this bug, and started searching for IDORs and CSRFs, however, the target was well protected on these fronts, so there was not much more I could do.

I noticed that there was also a CORS Misconfiguration, where the server retrieved the following headers:

Access-Control-Allow-Origin: https://evil.com

Access-Control-Allow-Credentials: true

Unfortunately, this issue was not exploitable, as the target had good CSRF protections.

I was still awarded a Very Generous Bonus from the Program Team, so the small time I put into searching for this bug, paid massive dividends!

To finish it off, I added this target to my list of assets to be continuously monitored on BreachCollection, so I receive an email notification whenever new credentials for it appear on a Data Breach.

Conclusion

As you can see, paying close attention to program updates is always a good idea. On platforms like Intigriti, this is quite easy to do, as you have an Activity tab on your Dashboard, which compiles all the program updates.

Also, if you are interested in bypassing Login Panels via Credential Stuffing, which is one of my favorite bugs, you can read this article that I wrote.

Reports of this nature can lead to high rewards, especially if you find credentials to an admin or employee-only panel like I did, which could critically compromise a company's security.

Let me know your thoughts in the comments, and do not forget to follow for more educational Bug Bounty Write-ups and Tutorials!