Significant portion of crucial data and documents is now stored online as the paper documents are becoming less popular. There are many stories coming every day with detailed information about the leakage of sensitive corporate documents. These documents, originally intended for internal use by employees, investors, or for managing internal business affairs, run the risk of unauthorized disclosure if adequate precautions are not taken. Mistakes can occur quite easily, especially within large companies with thousands of employees, where the sheer volume of personnel makes it challenging to ensure that errors won’t happen. For us bounty hunters, it could be a true gold mine, since those documents could contain some PII or any other sensitive data! In this article, I will cover my own approach, how it is possible to massively hunt for leaked sensitive documents.

As far as we know, there is no correct way to hack. You could also target only one or just a few programs at once in order to find sensitive docs’ leakage. It really depends on case by case and on your hacking style. For this particular example, I will show how I’ve made pretty decent bounties by hunting for leaked documents for all programs at once! To have a list of domains to target on, I usually combine multiple techniques. It does require a bit of manual work, but eventually this work should pay off.

As I mentioned on Mass Hunting S3 Buckets article, I have the one-liner (a bit modified for this case) to collect target domains from project discovery’s public bug bounty programs repo:

curl -s https://raw.githubusercontent.com/projectdiscovery/public-bugbounty-programs/main/chaos-bugbounty-list.json | jq ".[][] | select(.bounty==true) | .domains[]" -r > targets.txt

This bash one-liner will curl a public bug bounty program list, filter programs which include bounty, select only domains from parameters and saves the output into targets.txt file. We will use this file later for our hunt.